EP4120713A1 - Terminal device identifier obtaining method, apparatus and system - Google Patents

Terminal device identifier obtaining method, apparatus and system Download PDF

Info

Publication number
EP4120713A1
EP4120713A1 EP20928846.3A EP20928846A EP4120713A1 EP 4120713 A1 EP4120713 A1 EP 4120713A1 EP 20928846 A EP20928846 A EP 20928846A EP 4120713 A1 EP4120713 A1 EP 4120713A1
Authority
EP
European Patent Office
Prior art keywords
terminal device
network element
identifier
management network
supi
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP20928846.3A
Other languages
German (de)
French (fr)
Other versions
EP4120713A4 (en
Inventor
Yizhuang WU
He Li
Li Hu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of EP4120713A1 publication Critical patent/EP4120713A1/en
Publication of EP4120713A4 publication Critical patent/EP4120713A4/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/11Allocation or use of connection identifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/04Terminal devices adapted for relaying to or from another terminal or user

Definitions

  • This application relates to the field of communication technologies, and in particular, to a method for obtaining an identifier of a terminal device, an apparatus, and a system.
  • D2D communication allows direct communication between user equipments (user equipment, UE).
  • the remote device may establish, based on D2D communication, indirect communication with the communication network via a relay device (relay UE).
  • relay device relay UE
  • the remote device can obtain data from the communication network through communication between the remote device and the relay device, and interaction between the relay device and the communication network.
  • the relay device In a process in which the remote device establishes indirect communication with the communication network via the relay device, the relay device needs to first obtain an identifier of the remote device, and report the identifier to the communication network, so that the communication network can perform authentication and an authorization check based on the identifier of the remote device, or perform service control such as lawful interception based on the identifier of the remote device.
  • a remote device may provide a subscription permanent identifier of the remote device for a relay device over an air interface using plaintext. Further, the remote device sends the received subscription permanent identifier of the remote device to a communication network. However, directly sending the subscription permanent identifier over the air interface using plaintext results in user privacy exposure.
  • an embodiment of this application provides a method for obtaining an identifier of a terminal device.
  • the method is performed by a key management network element, and the method includes:
  • the key management network element receives a first key request from a first terminal device, where the first key request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device.
  • the key management network element resolves the first key request.
  • the key management network element needs to determine a subscription permanent identifier of the second terminal device.
  • the key management network element may send a first request to a unified data management network element, where the first request includes the first identifier.
  • the key management network element may receive a first response from the unified data management network element, where the first response includes the SUPI of the second terminal device.
  • the key management network element may perform an authorization check on the second terminal device based on the SUPI of the second terminal device, and after the authorization check on the second terminal device succeeds, send a first key response to the first terminal device.
  • the first key response includes a secure communication parameter, and the secure communication parameter is a parameter required for establishing secure communication between the first terminal device and the second terminal device.
  • the key management network element obtains the subscription permanent identifier of the second terminal device from the unified data management network element.
  • the key management network element only needs to obtain the anonymous identifier or the temporary identifier of the second terminal device from the first terminal device, without a need to obtain the subscription permanent identifier of the second terminal device from the first terminal device. This can effectively ensure security of the subscription permanent identifier of the second terminal device, and further avoid user privacy exposure.
  • the first response and the first key response further include a GPSI of the second terminal device, or may include the first identifier.
  • the first response and the first key response may further indicate the second terminal device by including the first identifier or the GPSI, to avoid user privacy exposure resulting from carrying the subscription permanent identifier.
  • the first request and the first response may be information in an existing interaction procedure between the key management network element and the unified data management network element.
  • the first request is a secure communication parameter obtaining request
  • the first response is a secure communication parameter obtaining response
  • the first request and the first response may be new information in an existing interaction procedure between the key management network element and the unified data management network element.
  • a manner of setting the first request and the first response is more flexible, so that an application range can be effectively extended.
  • the key management network element may notify the first terminal device to refuse or terminate to serve the second terminal device, or may notify the unified data management network element to delete a correspondence between the first identifier and the SUPI of the second terminal device.
  • the key management network element may notify, in a timely and convenient manner, the first terminal device or the unified data management network element for a corresponding operation.
  • the key management network element may further send a first indication to the unified data management network element, where the first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device.
  • the key management network element indicates, by sending the first indication, the unified data management network element to store the correspondence between the first identifier and the SUPI of the second terminal device, so that another network element can obtain the SUPI of the second terminal device from the unified data management network element based on the first identifier.
  • an embodiment of this application provides a method for obtaining an identifier of a terminal device.
  • the method is performed by a unified data management network element.
  • the unified data management network element may receive a first request from a key management network element.
  • the first request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device.
  • the unified data management network element may obtain a SUPI of the second terminal device based on the first identifier.
  • the unified data management network element sends a first response to the key management network element.
  • the first response includes the SUPI of the second terminal device.
  • the key management network element conveniently obtains the SUPI of the second terminal device by interacting with the unified data management network element.
  • the unified data management network element may obtain the SUPI of the second terminal device from a subscription identifier de-concealing network element based on the anonymous identifier of the second terminal device. In this way, a manner in which the unified data management network element obtains the SUPI of the second terminal device is more convenient.
  • the unified data management network element may determine the SUPI of the second terminal device based on a stored correspondence between a SUPI and a temporary identifier of a terminal device and based on the temporary identifier of the second terminal device.
  • the unified data management network element stores the correspondence between the temporary identifier and the SUPI of the terminal device, so that the SUPI of the second terminal device can be more conveniently provided for the key management network element.
  • the unified data management network element needs to first determine a temporary identifier allocated to the second terminal. The following two manners are introduced:
  • the unified data management network element can determine, in a plurality of different manners, the temporary identifier allocated to the second terminal for different scenarios.
  • the unified data management network element may store the correspondence between the first identifier and the SUPI of the second terminal device, so that another network element subsequently obtains the SUPI of the second terminal device from the unified data management network element based on the first identifier.
  • the unified data management network element may actively store the correspondence between the first identifier and the SUPI of the second terminal device.
  • the unified data management network element may store the correspondence between the first identifier and the SUPI of the second terminal device under indication of the key management network element. For example, the unified data management network element receives a first indication from the key management network element, where the first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device. Subsequently, the unified data management network element stores the correspondence between the first identifier and the SUPI of the second terminal device.
  • the unified data management network element may first determine whether the correspondence between the first identifier and the SUPI of the second terminal device needs to be stored, and then store the correspondence after determining that the correspondence between the first identifier and the SUPI of the second terminal device needs to be stored. For example, the unified data management network element determines, based on an attribute of the second terminal device, whether the correspondence between the first identifier and the SUPI of the second terminal device needs to be stored. There are a plurality of manners in which the unified data management network element determines to store the correspondence between the first identifier and the SUPI of the second terminal device, for different scenarios, thereby effectively extending an application scope.
  • the unified data management network element may further delete, as notified by the key management network, the correspondence between the first identifier and the SUPI of the second terminal device, to save storage space.
  • the first response may include the first identifier, or may include another identifier of the second terminal device.
  • the unified data management network element may further determine a GPSI of the second terminal device based on the SUPI of the second terminal device, and include the GPSI of the second terminal device in the first response.
  • the first response may further include another identifier of the second terminal device, so that more information about the second terminal device can be provided to the key management network element.
  • the unified data management network element may further provide the SUPI of the second terminal device to another network element.
  • the another network element may be a session management network element or an access and mobility management network element. Descriptions are separately provided below:
  • the first request and the first response may be information in an existing interaction procedure between the key management network element and the unified data management network element.
  • the first request is a secure communication parameter obtaining request
  • the first response is a secure communication parameter obtaining response
  • the first request and the first response may be new information in an existing interaction procedure between the key management network element and the unified data management network element.
  • a manner of setting the first request and the first response is more flexible, so that an application range can be effectively extended.
  • the first response further includes the first identifier.
  • an embodiment of this application provides a method for obtaining an identifier of a terminal device.
  • a session management network element may receive a UE report message from a first terminal device.
  • the UE report message includes a second identifier and IP information allocated by the first terminal device to a second terminal device.
  • the second identifier is one of the following: an anonymous identifier of the second terminal device, a temporary identifier of the second terminal device, or a GPSI of the second terminal device.
  • the session management network element determines that the UE report message includes the second identifier and a SUPI of the second terminal device needs to be obtained.
  • the session management network element may send a subscriber identity resolution request to a unified data management network element, where the subscriber identity resolution request includes the second identifier. Then, the session management network element receives a subscriber identity resolution response from the unified data management network element, where the subscriber identity resolution response includes the SUPI of the second terminal device. After obtaining the SUPI, the session management network element may perform service control on the second terminal device based on the SUPI and the IP information of the second terminal device.
  • the session management network element may obtain the subscription permanent identifier of the second terminal device from the unified data management network element.
  • the session management network element only needs to obtain the anonymous identifier or the temporary identifier of the second terminal device from the first terminal device, without a need to obtain the subscription permanent identifier of the second terminal device from the first terminal device. This can effectively ensure security of the subscription permanent identifier of the second terminal device, and further avoid user privacy exposure.
  • an embodiment of this application provides a method for obtaining an identifier of a terminal device.
  • the method is executed by an access and mobility management network element.
  • the access and mobility management network element receives a UE report message from a first terminal device.
  • the UE report message includes a second identifier and IP information allocated by the first terminal device to a second terminal device.
  • the second identifier is one of the following: an anonymous identifier of the second terminal device, a temporary identifier of the second terminal device, or a generic public subscription identifier GPSI of the second terminal device.
  • the access and mobility management network element determines that the UE report message includes the second identifier and needs to obtain a SUPI of the second terminal device.
  • the access and mobility management network element may send an identifier resolution request to a unified data management network element, where the identifier resolution request includes the permanent subscriber identifier SUPI of the second terminal device.
  • the access and mobility management network element receives an identifier resolution response from the unified data management network element, where the identifier resolution request includes the SUPI of the second terminal device. Then, the access and mobility management network element may send the SUPI and the IP information of the second terminal device to a session management network element.
  • the access and mobility management network element may obtain the subscription permanent identifier of the second terminal device from the unified data management network element, and then send the obtained subscription permanent identifier of the second terminal device to the session management network element.
  • the first terminal device no longer needs to provide the subscription permanent identifier of the second terminal device. This can effectively ensure security of the subscription permanent identifier of the second terminal device, and further avoid user privacy exposure.
  • an embodiment of this application provides a method for obtaining an identifier of a terminal device.
  • the method is performed by a first terminal device.
  • the first terminal device may send a first key request to a key management network element.
  • the first key request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of the second terminal device.
  • the first terminal device may receive a first key response from the key management network element, where the first key response includes a secure communication parameter.
  • the first terminal device establishes secure communication with the second terminal device based on the secure communication parameter.
  • the first terminal device may obtain, from the key management network element based on the first identifier, the secure communication parameter for establishing secure communication with the second terminal device, and the first terminal device no longer needs to provide the subscription permanent identifier of the second terminal device. This can effectively ensure security of the subscription permanent identifier of the second terminal device, and further avoid user privacy exposure.
  • the first key response further includes a GPSI of the second terminal device or the first identifier, indicating the second terminal device.
  • an embodiment of this application further provides a communication apparatus.
  • the communication apparatus is used in a key management network element.
  • the apparatus has functions of implementing the behavior in the method example in the first aspect.
  • the functions may be implemented by hardware, or may be implemented by hardware executing corresponding software.
  • the hardware or the software includes one or more modules corresponding to the foregoing functions.
  • a structure of the apparatus includes a receiving unit, a processing unit, and a sending unit. These units may perform corresponding functions in the method example in the first aspect. For details, refer to the detailed descriptions in the method example. Details are not described herein again.
  • an embodiment of this application further provides a communication apparatus.
  • the communication apparatus is used in a unified data management network element.
  • the apparatus has functions of implementing the behavior in the method example in the second aspect.
  • the functions may be implemented by hardware, or may be implemented by hardware executing corresponding software.
  • the hardware or the software includes one or more modules corresponding to the foregoing function.
  • a structure of the apparatus includes a receiving unit, a processing unit, and a sending unit. These units may perform corresponding functions in the method example in the second aspect. For details, refer to the detailed descriptions in the method example. Details are not described herein again.
  • an embodiment of this application further provides a communication apparatus.
  • the communication apparatus is used in a session management network element.
  • the apparatus has functions of implementing the behavior in the method example in the third aspect.
  • the functions may be implemented by hardware, or may be implemented by hardware executing corresponding software.
  • the hardware or the software includes one or more modules corresponding to the foregoing function.
  • a structure of the apparatus includes a receiving unit, a processing unit, and a sending unit. These units may perform corresponding functions in the method example in the third aspect. For details, refer to the detailed descriptions in the method example. Details are not described herein again.
  • an embodiment of this application further provides a communication apparatus.
  • the communication apparatus is used in an access and mobility management network element.
  • the apparatus has functions of implementing the behavior in the method example in the fourth aspect.
  • the functions may be implemented by hardware, or may be implemented by hardware executing corresponding software.
  • the hardware or the software includes one or more modules corresponding to the foregoing function.
  • a structure of the apparatus includes a receiving unit, a processing unit, and a sending unit. These units may perform corresponding functions in the method example in the fourth aspect. For details, refer to the detailed descriptions in the method example. Details are not described herein again.
  • an embodiment of this application further provides a communication apparatus.
  • the communication apparatus is used in a first terminal device.
  • the apparatus has functions of implementing the behavior in the method example in the fifth aspect.
  • the functions may be implemented by hardware, or may be implemented by hardware executing corresponding software.
  • the hardware or the software includes one or more modules corresponding to the foregoing function.
  • a structure of the apparatus includes a receiving unit, a processing unit, and a sending unit. These units may perform corresponding functions in the method example in the fifth aspect. For details, refer to the detailed descriptions in the method example. Details are not described herein again.
  • an embodiment of this application further provides a communication apparatus.
  • the communication apparatus is used in a key management network element.
  • a structure of the communication apparatus includes a processor and a memory.
  • the processor is configured to support the key management network element in performing corresponding functions in the method in the first aspect.
  • the memory is coupled to the processor, and stores program instructions and data that are necessary for the communication apparatus.
  • the structure of the communication apparatus further includes a communication interface for communicating with another device.
  • an embodiment of this application further provides a communication apparatus.
  • the communication apparatus is used in a unified data management network element.
  • a structure of the communication apparatus includes a processor and a memory.
  • the processor is configured to support the unified data management network element in performing corresponding functions in the method in the second aspect.
  • the memory is coupled to the processor, and stores program instructions and data that are necessary for the communication apparatus.
  • the structure of the communication apparatus further includes a communication interface for communicating with another device.
  • an embodiment of this application further provides a communication apparatus.
  • the communication apparatus is used in a session management network element. For beneficial effects, refer to the description of the third aspect.
  • a structure of the communication apparatus includes a processor and a memory.
  • the processor is configured to support the session management network element in performing corresponding functions in the method in the third aspect.
  • the memory is coupled to the processor, and stores program instructions and data that are necessary for the communication apparatus.
  • the structure of the communication apparatus further includes a communication interface for communicating with another device.
  • an embodiment of this application further provides a communication apparatus.
  • the communication apparatus is used in an access and mobility management network element.
  • a structure of the communication apparatus includes a processor and a memory.
  • the processor is configured to support the access and mobility management network element in performing corresponding functions in the method in the fourth aspect.
  • the memory is coupled to the processor, and stores program instructions and data that are necessary for the communication apparatus.
  • the structure of the communication apparatus further includes a communication interface for communicating with another device.
  • an embodiment of this application further provides a communication apparatus.
  • the communication apparatus is used in a first terminal device.
  • a structure of the communication apparatus includes a processor and a memory.
  • the processor is configured to support the first terminal device in performing corresponding functions in the method in the first aspect.
  • the memory is coupled to the processor, and stores program instructions and data that are necessary for the communication apparatus.
  • the structure of the communication apparatus further includes a transceiver for communicating with another device.
  • an embodiment of this application further provides a communication system.
  • the communication system includes a key management network element and a unified data management network element.
  • the key management network element is configured to receive a first key request from a first terminal device, where the first key request includes a first identifier; and send a first request to the unified data management network element after determining that the first key request includes the first identifier, where the first request includes the first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device.
  • the unified data management network element is configured to receive the first request; after determining that the first request includes the first identifier, determine a subscription permanent identifier SUPI of the second terminal device based on the first identifier; and send a first response to the key management network element, where the first response includes the SUPI of the second terminal device.
  • the key management network element is further configured to receive the first response; perform an authorization check on the second terminal device based on the SUPI of the second terminal device; and after the authorization check on the second terminal device succeeds, send a first key response to the first terminal device.
  • the first key response includes a secure communication parameter, and the secure communication parameter is used by the first terminal device to establish secure communication with the second terminal device.
  • the first response and the first key response further include a GPSI of the second terminal device.
  • the unified data management network element is further configured to determine the GPSI of the second terminal device based on the SUPI of the second terminal device.
  • the first response and the first key response further include the first identifier.
  • the unified data management network element may store a correspondence between the first identifier and the SUPI of the second terminal device.
  • the key management network sends a first indication to the unified data management network element, where the first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device.
  • the unified data management network element is further configured to receive the first indication, and then store the correspondence between the first identifier and the SUPI of the second terminal device.
  • the key management network element after the authorization check performed on the second terminal device fails, the key management network element notifies the unified data management network element to delete the correspondence between the first identifier and the SUPI of the second terminal device.
  • the unified data management network element is further configured to delete, as notified by the key management network element, the correspondence between the first identifier and the SUPI of the second terminal device.
  • the unified data management network element when determining the SUPI of the second terminal device based on the anonymous identifier of the second terminal device, obtains the SUPI of the second terminal device from a subscription identifier de-concealing network element based on the anonymous identifier of the second terminal device.
  • the unified data management network element determines the SUPI of the second terminal device based on a stored correspondence between a SUPI and a temporary identifier of a terminal device and based on the temporary identifier of the second terminal device.
  • the unified data management network element may allocate the temporary identifier to the second terminal device, send the temporary identifier to the second terminal device via a proximity service network element, and store a correspondence between the SUPI and the temporary identifier of the second terminal device.
  • the unified data management network element may obtain, from a proximity service network element, the temporary identifier allocated by the proximity service network element to the second terminal device, and store a correspondence between the SUPI and the temporary identifier of the second terminal device.
  • the system further includes a session management network element.
  • the session management network element is configured to receive a UE report message from the first terminal device, where the UE report message includes a second identifier and IP information allocated by the first terminal device to the second terminal device, and the second identifier is one of the following: the anonymous identifier, the temporary identifier, or the GPSI; and after determining that the UE report message includes the second identifier, send a subscriber identity resolution request to the unified data management network element, where the subscriber identity resolution request includes the second identifier.
  • the unified data management network element is further configured to receive the subscriber identity resolution request, determine the SUPI of the second terminal device based on the second identifier, and send a subscriber identity resolution response to the session management network element, where the subscriber identity resolution response includes the SUPI of the second terminal device.
  • the session management network element is further configured to receive the subscriber identity resolution response, and perform service control on the second terminal device based on the SUPI of the second terminal device and the IP information.
  • the system further includes an access and mobility management network element.
  • the access and mobility management network element is configured to receive the UE report message from the first terminal device, where the UE report message includes the second identifier and the IP information allocated by the first terminal device to the second terminal device, and the second identifier is one of the following: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device; and send an identifier resolution request to the unified data management network element, where the identifier resolution request includes the second identifier.
  • the unified data management network element is further configured to receive the identifier resolution request, determine the SUPI of the second terminal device based on the second identifier, and send an identifier resolution response to the access and mobility management network element, where the identifier resolution response includes the SUPI of the second terminal device.
  • the access and mobility management network element is further configured to receive the identifier resolution response, and send the SUPI of the second terminal device and the IP information to the session management network element.
  • the system further includes the first terminal device.
  • the first terminal device is configured to send the first key request to the key management network element, receive the first key response from the key management network element, and after establishing secure communication with the second terminal device based on the secure communication parameter, send the UE report message to the session management network element via the access and mobility management network element.
  • the system further includes the proximity service network element.
  • the proximity service network element is configured to allocate the temporary identifier to the second terminal device, and send the temporary identifier to the unified data management network element.
  • this application further provides a computer-readable storage medium.
  • the computer-readable storage medium stores instructions. When the instructions are run on a computer, the computer is enabled to perform the method in each of the foregoing aspects.
  • this application further provides a computer program product including instructions.
  • the computer program product runs on a computer, the computer is enabled to perform the method in each of the foregoing aspects.
  • this application further provides a computer chip.
  • the chip is connected to a memory.
  • the chip is configured to read and execute a software program stored in the memory, to perform the method in each of the foregoing aspects.
  • FIG. 1 is a schematic diagram of a specific network architecture to which this application is applicable.
  • the network architecture is a network architecture of a 5G system.
  • a network element in the 5G architecture includes a terminal device (user equipment, UE).
  • the network architecture further includes a radio access network (radio access network, RAN), an access and mobility management function (access and mobility management function, AMF) network element, a session management function (session management function, SMF) network element, a user plane function (user plane function, UPF) network element, a unified data management (unified data management, UDM) network element, an application function (application function, AF) network element, a data network (data network, DN), and the like.
  • radio access network radio access network
  • AMF access and mobility management function
  • AMF session management function
  • SMF session management function
  • UPF user plane function
  • UDM unified data management
  • application function application function, AF
  • DN data network
  • the terminal device is a device having a wireless transceiver function, and may be deployed on land, including an indoor or outdoor device, a handheld device, or an in-vehicle device; or may be deployed on water (for example, on a ship); or may be deployed in the air (for example, on an airplane, a balloon, or a satellite).
  • the terminal device may be a mobile phone (mobile phone), a tablet computer (pad), a computer having the wireless transceiver function, a virtual reality (virtual reality, VR) terminal, an augmented reality (augmented reality, AR) terminal, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in telemedicine (remote medical), a wireless terminal in a smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in a smart city (smart city), a wireless terminal in a smart home (smart home), or the like.
  • remote UE for example, a second terminal device
  • relay UE for example, a first terminal device
  • the remote UE is UE communicating with a data network via the relay UE.
  • the relay UE is UE capable of directly communicating with the data network.
  • the remote UE may send an anonymous identifier or an allocated temporary identifier of the remote UE to the relay UE, and the relay UE may send, to a PKMF network element, the anonymous identifier or the allocated temporary identifier sent by the remote UE.
  • a main function of the RAN is to control a user to wirelessly access a mobile communication network.
  • the RAN is a part of a mobile communication system.
  • the RAN implements a radio access technology.
  • the RAN resides between a device (for example, a mobile phone, a computer, or any remote controller) and a core network, and provides a connection between the device and the core network.
  • the AMF network element is responsible for access management and mobility management of a terminal.
  • the AMF network element includes a mobility management function of an MME in an LTE network architecture, and further includes an access management function.
  • the SMF network element is responsible for session management such as user session establishment.
  • the UPF network element is a user-plane function network element, and is mainly responsible for connecting to an external network.
  • the UPF network element includes related functions of a serving gateway (serving gateway, SGW) and a public data network gateway (public data network gateway, PDN-GW) in LTE.
  • serving gateway serving gateway
  • PDN-GW public data network gateway
  • the DN is a network responsible for providing services for the terminal. For example, some DNs provide a network access function for the terminal, and some other DNs provide a text messaging function for the terminal.
  • the UDM network element may store subscription information of a user, and implement a function similar to that of an HSS in 4G.
  • the UDM network element can determine a subscription permanent identifier (subscription permanent identifier, SUPI) of the terminal device based on the anonymous identifier or the temporary identifier of the remote UE.
  • subscription permanent identifier subscription permanent identifier, SUPI
  • the AF network element may be a third-party application control platform, or may be an operator-specific device.
  • the AF network element may provide services for a plurality of application servers.
  • a core network element further includes a proximity-based services key management function (proximity-based services key management function, PKMF) network element, a subscription identifier de-concealing function (subscription identifier de-concealing function, SIDF) network element, a proximity-based services (proximity-based Services, ProSe) network element, a unified data repository (unified data repository, UDR) network element, and a bootstrapping server function (bootstrapping server function, BSF) network element.
  • PKMF proximity-based services key management function
  • SIDF subscription identifier de-concealing function
  • ProSe proximity-based services
  • UDR unified data repository
  • BSF bootstrapping server function
  • the PKMF network element is configured to manage a key for UE in ProSe communication.
  • the PKMF network element may be deployed independently, or may be co-deployed with another network element.
  • the PKMF network element may be co-deployed with the ProSe network element.
  • the SIDF network element is capable of decrypting a SUCI to obtain a SUPI.
  • the SIDF network element may be deployed independently, or may be co-deployed with another network element.
  • the SIDF network element may be co-deployed with the UDM network element.
  • the ProSe network element supports network-related actions for ProSe.
  • the ProSe network element has the following functions: a direct provisioning function and a direct discovery name management function.
  • the direct provisioning function is used to provide UE with necessary parameters, for example, a temporary identifier.
  • the direct discovery name management function is used for opening ProSe direct discovery to allocate ProSe application codes.
  • the ProSe network element may allocate a temporary identifier to the UE, notify the UE of the allocated temporary identifier, and may send, to the UDM network element, the temporary identifier that is allocated to the UE.
  • the UDR network element is mainly configured to store user-related subscription data, policy data, structured data used for exposure, and application data.
  • the BSF network element can provide, to the PKMF network element, a secure communication parameter required for establishing secure communication between the relay UE and the remote UE.
  • a key management network element may receive, from a first terminal device, a first key request including a first identifier, where the first identifier is an anonymous identifier or a temporary identifier of a second terminal device. After determining that the first key request includes the first identifier, the key management network element may request, based on the first identifier, to obtain a subscription permanent identifier of the second terminal device from a unified data management network element.
  • the key management network element may perform an authorization check on the second terminal device based on the subscription permanent identifier of the second terminal device. After the authorization check succeeds, the key management network element may send, to the first terminal device, a secure communication parameter for establishing secure communication. In embodiments of this application, the first terminal device no longer needs to provide the subscription permanent identifier of the second terminal device to the key management network element. The key management network element may obtain the subscription permanent identifier of the second terminal device from the unified data management network element for authorization check, ensuring security of the subscription permanent identifier of the second terminal device.
  • a key management network element receives a first key request from a first terminal device, where the first key request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device.
  • Step 202 The key management network element determines that the first key request includes the first identifier. After receiving the first key request, the key management network element resolves the first key request. After determining that the first key request includes the first identifier, the key management network element obtains a subscription permanent identifier of the second terminal device by performing step 203.
  • Step 203 The key management network element sends a first request to a unified data management network element, where the first request includes the first identifier.
  • Step 204 The unified data management network element receives the first request from the key management network element, and obtains the subscription permanent identifier of the second terminal device based on the first identifier.
  • Step 205 The unified data management network element sends a first response to the key management network element, where the first response includes the subscription permanent identifier of the second terminal device.
  • Step 206 The key management network element performs an authorization check on the second terminal device based on the subscription permanent identifier of the second terminal device.
  • Step 207 the key management network element may send a first key response to the first terminal device, where the first key response includes a secure communication parameter.
  • the second terminal device may initiate a direct communication request to the first terminal device.
  • the direct communication request may include the anonymous identifier or the temporary identifier of the second terminal device.
  • the anonymous identifier or the temporary identifier is an identifier pre-allocated to the second terminal device.
  • the anonymous identifier may be a permanent identifier concealing a terminal device. Only a specific network element can obtain, based on the anonymous identifier, information about the terminal device concealing in the anonymous identifier.
  • the anonymous identifier may be a subscription concealed identifier (subscription concealed identifier, SUCI), and the SUCI is a privacy preserving identifier containing the subscription permanent identifier (subscription permanent identifier, SUPI).
  • the temporary identifier may be a short-validity-period identifier that is allocated by a proximity service network element (such as a ProSe network element) or the unified data management network element to the second terminal device.
  • a proximity service network element such as a ProSe network element
  • the unified data management network element to the second terminal device.
  • the proximity service network element may send the temporary identifier to the second terminal device in a registration process of the second terminal device. Specifically, the proximity service network element may allocate the temporary identifier to the second terminal device when receiving a registration request sent by the second terminal device. The proximity service network element sends the registration request response message including the temporary identifier to the second terminal device. After allocating the temporary identifier to the second terminal device, the proximity service network element may send the temporary identifier of the second terminal device to the unified data management network element. After receiving the temporary identifier of the second terminal device, the unified data management network element may locally store a correspondence between the temporary identifier and the subscription permanent identifier of the second terminal device.
  • the unified data management network element may alternatively allocate the temporary identifier to the second terminal device in a registration process of the second terminal device. After allocating the temporary identifier to the second terminal device, the unified data management network element may locally store a correspondence between the temporary identifier and the subscription permanent identifier of the second terminal device. The unified data management network element may further send the temporary identifier of the second terminal device to the proximity service network element. For example, the proximity service network element sends the received temporary identifier to the second terminal device.
  • the proximity service network element or the unified data management network element may periodically update the temporary identifier of the second terminal device. After updating the temporary identifier of the second terminal device, the proximity service network element or the unified data management network element may send an updated temporary identifier of the second terminal device to the second terminal device. If the proximity service network element updates the temporary identifier of the second terminal device, the proximity service network element may send the updated temporary identifier of the second terminal device to the unified data management network element, so that the unified data management network element updates a locally stored temporary identifier of the second terminal device.
  • the first terminal device may perform step 201 of sending the first key request to the key management network element, to request the key management network element to perform an authorization check on the first terminal device.
  • the key management network element resolves the first key request. If the key management network element determines that an identifier included in the first key request is the anonymous identifier or the temporary identifier of the second terminal device, the key management network element cannot perform an authorization check on the second terminal device based on the anonymous identifier or the temporary identifier of the second terminal device.
  • the key management network element may perform step 203 of sending the first request including the first identifier, to request to obtain the subscription permanent identifier of the second terminal device from the unified data management network element.
  • the unified data management network element may determine the subscription permanent identifier of the second terminal device based on the anonymous identifier or the temporary identifier of the second terminal device, and feed back the first response including the subscription permanent identifier of the second terminal device to the key management network element.
  • the first request and the first response may be information in an existing interaction procedure between the key management network element and the unified data management network element.
  • the first request may be a secure communication parameter obtaining request.
  • the secure communication parameter obtaining request requests, from the unified data management network element, to obtain a secure communication parameter required for establishing secure communication between the first terminal device and the second terminal device.
  • the key management network element may carry the anonymous identifier or the temporary identifier of the second terminal device in the secure communication parameter obtaining request.
  • the secure communication parameter obtaining request further requests to obtain the subscription permanent identifier of the second terminal device from the unified data management network element.
  • the first response is a secure communication parameter obtaining response.
  • the secure communication parameter obtaining response includes the secure communication parameter required for establishing secure communication between the first terminal device and the second terminal device and the subscription permanent identifier of the second terminal device.
  • the first request is the secure communication parameter obtaining request and the first response is the secure communication parameter obtaining response.
  • Types of the first request and the first response are not limited in this embodiment of this application.
  • the first request and the first response may alternatively be other information in the existing interaction procedure between the key management network element and the unified data management network element.
  • the first request and the first response may be new information in the interaction procedure between the key management network element and the unified data management network element, which are dedicated to request to obtain the subscription permanent identifier of the second terminal device.
  • the first request is a first subscriber identity resolution request
  • the first response is a first subscriber identity resolution response.
  • the following describes a manner in which the unified data management network element determines the subscription permanent identifier of the second terminal device based on the anonymous identifier or the temporary identifier of the second terminal device.
  • the unified data management network element determines the subscription permanent identifier of the second terminal device based on the anonymous identifier of the second terminal device.
  • the unified data management network element locally stores a correspondence between the anonymous identifier and the subscription permanent identifier of the second terminal device.
  • the unified data management network element may determine the subscription permanent identifier of the second terminal device based on the stored correspondence and the anonymous identifier of the second terminal device.
  • the unified data management network element may alternatively obtain the subscription permanent identifier of the second terminal device from another network element based on the anonymous identifier of the second terminal device.
  • the another network element may be a subscription identifier de-concealing function network element or a unified data repository network element.
  • the unified data management network element may directly store the correspondence between the anonymous identifier and the subscription permanent identifier of the second terminal device.
  • the unified data management network element may first determine an attribute of the second terminal device, and determine, based on the attribute of the second terminal device, whether to store the correspondence between the anonymous identifier and the subscription permanent identifier of the second terminal device.
  • the unified data management network element may query for subscription information of the second terminal device based on the subscription permanent identifier of the second terminal device, to determine whether the second terminal device is a commercial (commercial) subscriber. If the second terminal device is a commercial subscriber, the unified data management network element may store the correspondence. If the second terminal device is not a commercial subscriber, for example, the second terminal device is a public safety (mission critical) subscriber, the unified data management network element does not store the correspondence.
  • the unified data management network element may actively store the correspondence.
  • the unified data management network element may alternatively store the correspondence under indication of the key management network element.
  • the key management network element may send a first indication to the unified data management network element.
  • the first indication indicates the unified data management network element to store the correspondence between the anonymous identifier and the subscription permanent identifier of the second terminal device.
  • a manner and a time for sending the first indication by the key management network are not limited in this application.
  • the key management network element may separately send the first indication to the unified data management network element.
  • the key management network element may send the first indication to the unified data management network element in advance, or the key management network element may send the first indication to the unified data management network element after sending the first request, or the key management network element may send the first indication after receiving the first response.
  • the key management network element may include the first indication in a message that needs to be sent to the unified data management network element.
  • the key management network element may include the first indication in the first request.
  • the unified data management network element determines the subscription permanent identifier of the second terminal device based on the temporary identifier of the second terminal device.
  • the unified data management network element locally stores the correspondence between the temporary identifier and the subscription permanent identifier of the second terminal device.
  • the unified data management network element may determine the subscription permanent identifier of the second terminal device based on the stored correspondence and the temporary identifier of the second terminal device.
  • the unified data management network element may alternatively store the correspondence between the temporary identifier and the subscription permanent identifier of the second terminal device to another network element, for example, a unified data repository network element.
  • the unified data management network element may obtain the correspondence from the another network element, and then determine the subscription permanent identifier of the second terminal device based on the temporary identifier of the second terminal device.
  • the unified data management network element may further determine a generic public subscription identifier (generic public subscription identifier, GPSI) of the second terminal device.
  • a generic public subscription identifier generator public subscription identifier, GPSI
  • a manner in which the unified data management network element determines the generic public subscription identifier of the second terminal device based on the subscription permanent identifier of the second terminal device is similar to the manner in which the unified data management network element determines the subscription permanent identifier of the second terminal device based on the first identifier.
  • the unified data management network element determines the subscription permanent identifier of the second terminal device based on the first identifier For details, refer to the foregoing content. Details are not described herein again.
  • the key management network element may perform an authorization check on the second terminal device based on the subscription permanent identifier of the second terminal device.
  • the key management network element may store an identifier set.
  • Identifiers in the identifier set are subscription permanent identifiers of terminal devices that can directly communicate with the first terminal device.
  • the terminal devices indicated by the subscription permanent identifiers in the identifier set can establish a connection to a communication system for data exchange via the first terminal device, and is authorized to communicate via the first terminal device.
  • the key management network element may perform an authorization check on the second terminal device based on the identifier set and the subscription permanent identifier of the second terminal device. In other words, the key management center determines whether the subscription permanent identifier of the second terminal device is an identifier in the identifier set.
  • the authorization check performed by the key management network element on the second terminal device succeeds.
  • the key management network element may directly perform step 207.
  • the key management network element may send the secure communication parameter obtaining request to the unified data management network element, obtain a secure communication parameter from the unified data management network element, and then perform step 207.
  • the first key response may further include the first identifier and the generic public subscription identifier of the second terminal device.
  • the second terminal device may be indicated using the first identifier or the generic public subscription identifier.
  • the secure communication parameter included in the first key response is a secure communication parameter required for establishing secure communication with the second terminal device.
  • the key management network element interacts with the unified data management network element to obtain the subscription permanent identifier of the second terminal device.
  • the key management network element may alternatively interact with a bootstrapping server function network element (B SF network element) based on the subscription permanent identifier of the second terminal device, to obtain the secure communication parameter.
  • B SF network element bootstrapping server function network element
  • the key management network element may send a second indication to the first terminal device. The second indication indicates that the authorization check performed on the second terminal device fails. After receiving the second indication, the first terminal device may terminate or refuse to communicate with the second terminal device, not to serve the second terminal device.
  • the key management network element may further notify the unified data management network element to delete the correspondence between the anonymous identifier and the subscription permanent identifier of the second terminal device.
  • the unified data management network element deletes, as notified by the key management network element, the stored correspondence between the anonymous identifier and the subscription permanent identifier of the second terminal device.
  • the authorization check performed by the key management network element on the second terminal device succeeds.
  • the first terminal device may establish secure communication with the second terminal device based on the secure communication parameter included in the first key response.
  • the first terminal device may send a direct security mode command to the second terminal device.
  • the direct security mode command includes key-related information, and the key-related information is determined based on the secure communication parameter (for example, the secure communication parameter may include the key-related information).
  • the second terminal device may generate a security key based on the key-related information.
  • the security key may be used for encryption and/or integrity protecting data exchanged between the second terminal device and the first terminal device.
  • the second terminal device sends a direct security mode complete message to the first terminal device, to notify the first terminal device that a direct security mode is completed.
  • the first terminal device may send a direct communication response to the second terminal device in response to the direct communication request sent by the second terminal device.
  • the first terminal device may allocate an Internet Protocol (Internet Protocol, IP) address to the second terminal device.
  • IP Internet Protocol
  • the IP address is used by the second terminal device for data communication with a data network via the first terminal device.
  • the IP address may be an Internet Protocol version 6 (internet protocol version 6, IPv6) prefix or an IPv4 address.
  • a process in which the second terminal device performs, based on the IP address, data communication with the data network via the first terminal device is as follows: The second terminal device performs data encapsulation using an IP address (for example, the IPv6 prefix or the IPv4 address) allocated by the first terminal device to the second terminal device, to generate a data packet, and sends the data packet to the first terminal device.
  • IP address for example, the IPv6 prefix or the IPv4 address
  • the first terminal device For a data packet generated through encapsulation using the IPv4 address, after receiving the data packet, the first terminal device translates the IPv4 address of the data packet into an IPv4 address of a PDU session (the IPv4 address of the PDU session is assigned by a network side to the first terminal device).
  • the PDU session is a PDU session for a relay service.
  • the first terminal device sends the data packet with the translated IPv4 address through a specific port.
  • the data packet further includes a port number of the specific port. The specific port is allocated by the first terminal device for transmission of the data packet of the second terminal device.
  • the first terminal device may directly send the data packet to a PDU session.
  • the first terminal device When receiving, from the data network, a data packet that needs to be sent to the second terminal device, and resolving an IP address of the data packet or a port number of the data packet, the first terminal device determines that the data packet is the data packet that needs to be sent to the second terminal device. The first terminal device sends the data packet to the second terminal device. For the data packet generated through encapsulation using the IPv4 address, the first terminal device determines the second terminal device based on the port number of the data packet.
  • the first terminal device may send, to a session management network element, a UE report message including IP information of the second terminal device, so that the session management network element can perform service control based on the IP information, such as lawful interception and traffic statistics.
  • the IP information is the IPv6 prefix.
  • the first terminal device determines, based on the port number included in the data packet, that the data packet is from the second terminal device, and the IP information may be a port number range assigned by the first terminal device to the second terminal device.
  • the UE report message may further include a second identifier.
  • the second identifier may be any one of the following identifiers for identifying the second terminal device: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, and the generic public subscription identifier of the second terminal device.
  • the second identifier in the UE report message may be obtained by the first terminal device from the key management network element, or may be obtained from the second terminal device.
  • the session management network element determines that the UE report message includes the second identifier. To determine a real identity of the second terminal device, the session management network element may request the subscription permanent identifier of the second terminal device from the unified data management network element.
  • the session management network element may send a second subscriber identity resolution request to the unified data management network element.
  • the second subscriber identity resolution request includes the second identifier.
  • the unified data management network element determines the subscription permanent identifier of the second terminal device based on the second identifier, and sends, to the session management network element, a second subscriber identity resolution response including the subscription permanent identifier of the second terminal device.
  • the session management network element obtains the subscription permanent identifier of the second terminal device.
  • the unified data management network element determines the subscription permanent identifier of the second terminal device based on the second identifier. Details are not described herein again.
  • the second identifier may alternatively be the subscription permanent identifier of the second terminal device.
  • the session management network element does not need to obtain the subscription permanent identifier from the unified data management network element, and may directly perform service control based on the IP information, such as lawful interception and traffic statistics.
  • the session management network element needs to interact with the unified data management network element to obtain the subscription permanent identifier of the second terminal device.
  • an access and mobility management network element may also interact with the unified data management network element to obtain the subscription permanent identifier of the second terminal device, and then sends the obtained subscription permanent identifier of the second terminal device to the session management network element.
  • the first terminal device may send an N1 message to the access and mobility management network element, where the N1 message includes a second identifier and an N1 SM message, and the NI SM message includes IP information.
  • the access and mobility management network element may initiate an identifier resolution procedure, and send an identifier resolution request including the second identifier to the unified data management network element.
  • the unified data management network element may determine the subscription permanent identifier of the second terminal device based on the second identifier. Subsequently, the unified data management network element sends an identifier resolution response including the subscription permanent identifier of the second terminal device to the access and mobility management network element.
  • the access and mobility management network element sends the subscription permanent identifier of the second terminal device and the N1 SM message to the session management network element.
  • the subscription permanent identifier of the second terminal device and the N1 SM message may be included in an Nsmf message.
  • the session management network element may obtain the subscription permanent identifier of the second terminal device from the Nsmf message.
  • the first terminal device is allowed to send a second key request to the key management network element, where the second key request may include an international mobile subscriber identity (international mobile subscriber identity, IMSI) of the second terminal device.
  • the key management network element may perform an authorization check on the second terminal device based on the IMSI of the second terminal device. After the authorization check on the second terminal device succeeds, the key management network element may obtain the secure communication parameter from the unified data management network element. After obtaining the secure communication parameter, the key management network element may send a second key response to the first terminal device, where the second key response includes the secure communication parameter.
  • IMSI international mobile subscriber identity
  • the key management network element is a PKMF network element
  • the unified data management network element is a UDM network element
  • the session management network element is an SMF network element
  • the access and mobility management network element is an AMF network element
  • the proximity service network element is a ProSe network element.
  • the first identifier is a SUCI.
  • FIG. 3A and FIG. 3B show a method for obtaining an identifier of a terminal device according to an embodiment of this application. The method includes the following steps:
  • the first key request may request the PKMF network element to perform an authorization check on the remote UE, or may request to allocate a security key to the remote UE, or may request a secure communication parameter required for establishing secure communication between the remote UE and the relay UE.
  • the relay UE may directly send the first key request to the PKMF network element, or may send the first key request to the PKMF network element via another network element.
  • Step 305 After receiving the first key request, and determining that the first key request includes the SUCI, the PKMF network element selects the UDM network element based on the SUCI, and sends, to the UDM network element, a first subscriber identity resolution request including the SUCI, to request the UDM network element to resolve the SUCI.
  • Step 306 After receiving the first subscriber identity resolution request, the UDM network element obtains the SUCI in the first subscriber identity resolution request. The UDM network element determines a SUPI of the remote UE based on the SUCI of the remote UE.
  • a manner in which the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE is not limited in this embodiment of this application.
  • the UDM network element capable of decryption can directly decrypt the SUCI of the remote UE to obtain the SUPI of the remote UE.
  • the UDM network element may invoke another network element (such as a SIDF network element), to obtain the SUPI of the remote UE from the another network element.
  • the UDM network element may further store a correspondence between the SUCI and the SUPI of the remote UE.
  • a location for storing the correspondence by the UDM network element is not limited in this embodiment of this application.
  • the UDM network element may locally store the correspondence, or may store the correspondence in another network element (for example, a UDR network element).
  • the stored correspondence between the SUCI and the SUPI of the remote UE may be obtained from the another network element.
  • the UDM network element may actively store the correspondence between the SUCI and the SUPI of the remote UE. For example, after determining the SUPI of the remote UE based on the SUCI of the remote UE, the UDM network element directly stores the correspondence, or may first determine, based on an attribute of the remote UE, whether to store the correspondence. The UDM network element may query for subscription information of the remote UE based on the SUPI of the remote UE, and store the correspondence after determining that the remote UE is a commercial subscriber.
  • the UDM network element may store the correspondence between the SUCI and the SUPI of the remote UE under indication of the PKMF network element.
  • the PKMF network element may send, to the UDM network element, a first indication indicating to store the correspondence between the SUCI and the SUPI of the remote UE.
  • the UDM network element may store the correspondence between the SUCI and the SUPI of the remote UE.
  • the first indication message may be separately sent, or may be included in a message (for example, the first subscriber identity resolution request) sent by the PKMF network element to the UDM network element.
  • Step 307. After determining the SUPI of the remote UE, the UDM network element feeds back a first subscriber identity resolution response to the PKMF network element, where the first subscriber identity resolution response includes the SUPI of the remote UE.
  • the UDM network element may further determine a GPSI of the remote UE based on the SUPI of the remote UE, and include the GPSI of the remote UE in the first subscriber identity resolution response.
  • Step 308 After receiving the first subscriber identity resolution response, the PKMF network element obtains the SUPI of the remote UE from the first subscriber identity resolution response. The PKMF network element performs the authorization check on the remote UE based on the SUPI of the remote UE, to determine whether the remote UE is authorized to connect to a network for data exchange with a DN via the selected relay UE.
  • the PKMF network element may pre-store a SUPI set including one or more SUPIs. All terminal devices corresponding to the SUPIs in the set can connect to the network via the relay UE.
  • the PKMF network element may determine whether the SUPI of the remote UE belongs to the SUPI set. If the SUPI of the remote UE belongs to the SUPI set, the authorization check performed by the PKMF network element on the remote UE succeeds, and the remote UE can perform data exchange with the 5G system via the relay UE. Otherwise, the authorization check performed by the PKMF network element fails.
  • the first subscriber identity resolution response may further include the GPSI of the remote UE.
  • Step 309 After the authorization check performed by the PKMF network element on the remote UE succeeds, the PKMF network element obtains a secure communication parameter from the UDM network element, where the secure communication parameter is the parameter required for establishing secure communication between the relay UE and the remote UE.
  • the secure communication parameter may include key-related information for generating a security key.
  • the PKMF network element may alternatively obtain the secure communication parameter via another network element such as a BSF network element.
  • the PKMF network element may send authorization failure indication information to the relay UE, so that the relay UE terminates or refuses to serve the remote UE.
  • the PKMF network element may further notify the UDM network element to delete the stored correspondence between the SUCI and the SUPI of the remote UE. After receiving the notification, the UDM network element deletes the correspondence if the UDM network element has already stored the correspondence between the SUCI and the SUPI of the remote UE. Otherwise, the UDM network element ignores the notification. Step 310. After obtaining the secure communication parameter, the PKMF network element may send a first key response to the relay UE, where the first key response includes the secure communication parameter.
  • the first key response may further include the SUCI of the remote UE.
  • the SUCI of the remote UE included in the first key response is used by the relay UE to provide the information for a core network element such as the SMF network element or the AMF network element.
  • the first key response may not include the secure communication parameter.
  • the PKMF network element does not need to perform step 309.
  • the PKMF network element directly sends the first key response, to indicate that the authorization check performed on the remote UE succeeds.
  • the first key response includes the secure communication parameter including the key-related information.
  • the first subscriber identity resolution response includes the GPSI of the remote UE
  • the first key response may not include the SUCI, but may include the GPSI of the remote UE.
  • Step 311 After receiving the first key response, the relay UE establishes secure communication with the remote UE based on the secure communication parameter.
  • Step 312. The relay UE sends a direct communication response to the remote UE in response to the direct communication request.
  • Step 313. The relay UE assigns, to the remote UE, an IP address required for communication.
  • the IP address may be an IPv6 prefix or an IPv4 address.
  • Step 314. The relay UE needs to send a UE report message to the SMF network element, where the UE report message includes the SUCI and IP information of the remote UE. If the IP address in step 313 is the IPv6 prefix, the IP information is the IPv6 prefix assigned by the relay UE to the remote UE. If the IP address in step 313 is the IPv4 address, the IP information is a port number range assigned by the relay UE to the remote UE.
  • the SUCI of the remote UE included in the UE report message for the relay UE may be obtained from the first key response, or may be obtained from the direct communication request.
  • Step 315 After receiving the UE report message, and determining that the UE report message includes the SUCI, the SMF network element sends a second subscriber identity resolution request including the SUCI to the UDM network element, to request the UDM network element to resolve the SUCI.
  • Step 316 After receiving the second subscriber identity resolution request, the UDM network element obtains the SUCI in the second subscriber identity resolution request. The UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE.
  • a manner in which the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE is similar to the manner in which the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE in step 306. For details, refer to the foregoing content. Details are not described herein again. It should be noted that, if the UDM network element stores the correspondence between the SUCI and the SUPI of the remote UE, when determining the SUPI of the remote UE based on the SUCI of the remote UE, the UDM network element may directly determine the SUPI of the remote UE based on the correspondence and the SUCI of the remote UE.
  • the UDM network element may delete the correspondence after the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE.
  • Step 317 After determining the SUPI of the remote UE, the UDM network element feeds back a second subscriber identity resolution response to the SMF network element, where the second subscriber identity resolution response includes the SUPI of the remote UE.
  • Step 318 After receiving the second subscriber identity resolution response, the SMF network element obtains the SUPI of the remote UE from the second subscriber identity resolution response. Further, the SMF network element may perform service control based on the SUPI and the received IP information, such as lawful interception and traffic statistics. This is not limited herein.
  • the SUCI of the remote UE in step 314 to step 316 may be replaced with the GPSI of the remote UE.
  • the PKMF network element first requests to obtain the SUPI of the remote UE from the UDM network element, and then requests the secure communication parameter from the UDM network element or another network element.
  • the PKMF network element may request the secure communication parameter while requesting to obtain the SUPI of the remote UE from the UDM network element.
  • FIG. 4A and FIG. 4B show a method for obtaining an identifier of a terminal device according to an embodiment of this application. The method includes the following steps:
  • the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE and stores a correspondence between the SUCI and the SUPI of the remote UE, refer to related descriptions in step 306. Details are not described herein again.
  • Step 407 After determining the SUPI of the remote UE, the UDM network element feeds back a secure communication parameter obtaining response to the PKMF network element, where the secure communication parameter obtaining response includes the SUPI of the remote UE and the secure communication parameter.
  • the UDM network element may further determine a GPSI of the remote UE based on the SUPI of the remote UE, and include the GPSI of the remote UE in the secure communication parameter obtaining response.
  • Step 408 After receiving the secure communication parameter obtaining response, the PKMF network element obtains the SUPI of the remote UE from the secure communication parameter obtaining response. The PKMF network element performs the authorization check on the remote UE based on the SUPI of the remote UE, to determine whether the remote UE is authorized to connect to a network for data exchange with a DN via the selected relay UE.
  • Step 409 the PKMF network element may send a first key response to the relay UE, where the first key response includes the secure communication parameter.
  • Step 410 After performing the authorization check on the remote UE succeeds, the PKMF network element establishes secure communication with the remote UE based on the secure communication parameter.
  • Step 411 to step 417 are the same as step 312 to step 318.
  • Step 411 to step 417 are the same as step 312 to step 318.
  • the first key response sent by the PKMF network element to the relay UE includes the SUCI of the remote UE, and the PKMF network element may directly notify the relay UE of the SUPI of the remote UE.
  • the PKMF network element may directly notify the relay UE of the SUPI of the remote UE.
  • FIG. 5A and FIG. 5B show a method for obtaining an identifier of a terminal device according to an embodiment of this application. The method includes the following steps:
  • the first key response may further include the SUPI of the remote UE.
  • Step 511 to step 513 are the same as step 311 to step 313.
  • Step 511 to step 513 are the same as step 311 to step 313.
  • Step 514 The relay UE needs to send a UE report message to the SMF network element, where the UE report message includes the SUPI and IP information of the remote UE. If the IP address in step 513 is an IPv6 prefix, the IP information is the IPv6 prefix assigned by the relay UE to the remote UE. If the IP address in step 513 is an IPv4 address, the IP information is a port number range assigned by the relay UE to the remote UE. The IPv4 address corresponds to the port number range.
  • the SUCI of the remote UE included in the UE report message for the relay UE may be obtained from the first key response, or may be obtained from the direct communication request.
  • Step 515 The SMF network element obtains the SUPI of the remote UE from the UE report message. Further, the SMF network element may perform service control based on the SUPI and the received IP information, such as lawful interception and traffic statistics. This is not limited herein.
  • the PKMF network element may directly send a secure parameter obtaining request including the SUCI to the UDM network element.
  • the UDM network element determines the SUPI of the remote UE based on the SUCI, and determines the secure communication parameter. Subsequently, the UDM network element sends a secure parameter obtaining response to the PKMF network element, where the secure parameter obtaining response includes the remote SUPI and the secure communication parameter.
  • the SMF network element determines the SUPI of the remote UE with no need to interact with the UDM network element, so that signaling interaction can be further reduced.
  • the first identifier is a temporary identifier of the remote UE.
  • FIG. 6A to FIG. 6C show a method for obtaining an identifier of a terminal device according to an embodiment of this application. The method includes the following steps:
  • the UDM network element may locally store a correspondence between the temporary identifier and a SUPI of the remote UE.
  • Step 603. The ProSe network element sends the temporary identifier of the remote UE to the remote UE.
  • Relay UE initiates a registration procedure to an AMF network element via a RAN, so that UE registers to a 5G system.
  • Step 605. The remote UE initiates a discovery procedure for data exchange with a data network, to discover the relay UE.
  • the remote UE may send a direct communication request to the relay UE, where the direct communication request requests to establish a communication connection to the relay UE, and the direct communication request includes the temporary identifier of the remote UE.
  • Step 607 After receiving the direct communication request, the relay UE may send a first key request to a PKMF network element, where the first key request includes the temporary identifier.
  • the relay UE may directly send the first key request to the PKMF network element, or may send the first key request to the PKMF network element via another network element.
  • Step 608 After receiving the first key request, and determining that the first key request includes the temporary identifier, the PKMF network element selects the UDM network element based on the temporary identifier, and sends, to the UDM network element, a first subscriber identity resolution request including the temporary identifier, to request the UDM network element to resolve the temporary identifier.
  • Step 609 After receiving the first subscriber identity resolution request, the UDM network element obtains the temporary identifier in the first subscriber identity resolution request. The UDM network element determines the SUPI of the remote UE based on the temporary identifier of the remote UE.
  • the UDM network element determines the SUPI of the remote UE based on the stored correspondence between the temporary identifier and the SUPI of the remote UE.
  • Step 610 After determining the SUPI of the remote UE, the UDM network element feeds back a first subscriber identity resolution response to the PKMF network element, where the first subscriber identity resolution response includes the SUPI of the remote UE.
  • Step 611 to step 612 are the same as step 308 to step 309.
  • Step 611 to step 612 are the same as step 308 to step 309.
  • the PKMF network element may send a first key response to the relay UE, where the first key response includes the secure communication parameter.
  • the first key response may further include the temporary identifier of the remote UE.
  • the temporary identifier of the remote UE included in the key response is used by the relay UE to provide the information for a core network element such as an SMF network element or an AMF network element.
  • Step 614 to step 616 are the same as step 311 to step 313.
  • Step 614 to step 616 are the same as step 311 to step 313.
  • Step 617 The relay UE needs to send a UE report message to the SMF network element, where the UE report message includes the temporary identifier and IP information of the remote UE. If the IP address in step 616 is an IPv6 prefix, the IP information is the IPv6 prefix assigned by the relay UE to the remote UE. If the IP address in step 616 is an IPv4 address, the IP information is a port number range assigned by the relay UE to the remote UE.
  • the temporary identifier of the remote UE included in the UE report message for the relay UE may be obtained from the first key response, or may be obtained from the direct communication request.
  • Step 618 After receiving the UE report message, and determining that the UE report message includes the temporary identifier, the SMF network element sends a second subscriber identity resolution request including the temporary identifier to the UDM network element, to request the UDM network element to resolve the temporary identifier.
  • Step 619 After receiving the second subscriber identity resolution request, the UDM network element obtains the temporary identifier in the second subscriber identity resolution request. The UDM network element determines the SUPI of the remote UE based on the temporary identifier of the remote UE.
  • a manner in which the UDM network element determines the SUPI of the remote UE based on the temporary identifier of the remote UE is similar to the manner in which the UDM network element determines the SUPI of the remote UE based on the temporary identifier of the remote UE in step 606.
  • the UDM network element determines the SUPI of the remote UE based on the temporary identifier of the remote UE is similar to the manner in which the UDM network element determines the SUPI of the remote UE based on the temporary identifier of the remote UE in step 606.
  • Step 620 After determining the SUPI of the remote UE, the UDM network element feeds back a second subscriber identity resolution response to the SMF network element, where the second subscriber identity resolution response includes the SUPI of the remote UE.
  • Step 621 After receiving the second subscriber identity resolution response, the SMF network element obtains the SUPI of the remote UE from the second subscriber identity resolution response. Further, the SMF network element may perform service control based on the SUPI and the received IP information, such as lawful interception and traffic statistics. This is not limited herein.
  • the PKMF network element may directly send a secure parameter obtaining request including the temporary identifier of the remote UE to the UDM network element.
  • the UDM network element determines the SUPI of the remote UE based on the temporary identifier, and determines the secure communication parameter. Subsequently, the UDM network element sends a secure parameter obtaining response to the PKMF network element, where the secure parameter obtaining response includes the remote SUPI and the secure communication parameter.
  • the SMF network element needs to interact with the UDM network element to obtain the SUPI of the remote UE.
  • the AMF network element may also interact with the UDM network element to obtain the SUPI of the remote UE.
  • the remote UE may send an N1 message to the AMF network element.
  • the N1 message includes the temporary identifier of the remote UE and an N1 SM message, and the NI SM message includes the IP information.
  • the AMF network element may initiate an identifier resolution procedure, and send, to the UDM network element, an identifier resolution request including the temporary identifier of the remote UE.
  • the UDM network element may determine the SUPI of the remote UE based on the temporary identifier of the remote UE. Subsequently, the UDM network element sends an identifier resolution response including the SUPI of the remote UE to the AMF network element.
  • the AMF network element sends an Nsmf message to the SMF network element, where the Nsmf message includes the SUPI of the remote UE and the N1 SM message.
  • the SMF network element may obtain the SUPI of the remote UE from the Nsmf message.
  • the first key response sent by the PKMF network element to the relay UE includes the temporary identifier of the remote UE.
  • the PKMF network element may directly notify the relay UE of the SUPI of the remote UE.
  • FIG. 7A and FIG. 7B show a method for obtaining an identifier of a terminal device according to an embodiment of this application. The method includes the following steps:
  • the PKMF network element may directly send a secure parameter obtaining request including the temporary identifier of the remote UE to the UDM network element.
  • the UDM network element determines the SUPI of the remote UE based on the temporary identifier, and determines the secure communication parameter.
  • the UDM network element sends a secure parameter obtaining response to the PKMF network element, where the secure parameter obtaining response includes the remote SUPI and the secure communication parameter.
  • the PKMF network element may request the secure communication parameter while requesting to obtain the SUPI of the remote UE from the UDM network element, so that signaling interaction can be reduced.
  • the relay UE may first obtain the secure communication parameter, establish secure communication with the remote UE, and then request, via the SMF network element or the AMF network element, the UDM network element to resolve the SUCI.
  • the method includes the following steps:
  • the direct communication request includes a key identifier.
  • the key identifier is an identifier of a security key used for encryption and/or integrity protecting data exchanged between the remote UE and the relay UE.
  • the relay UE may obtain a corresponding secure communication parameter from the PKMF network element based on the key identifier.
  • Step 805. The relay UE establishes secure communication with the remote UE based on the secure communication parameter.
  • Step 806 The relay UE sends a direct communication response to the remote UE in response to the direct communication request.
  • Step 807. The relay UE assigns, to the remote UE, an IP address required for communication.
  • the IP address may be an IPv6 prefix or an IPv4 address.
  • Step 808 The relay UE needs to send an N1 message to the AMF network element, where the NI message includes the SUCI of the remote UE and an N1 SM message, and the NI SM message includes IP information.
  • the IP information is the IPv6 prefix assigned by the relay UE to the remote UE. If the IP address in step 808 is the IPv4 address, the IP information is a port number range assigned by the relay UE to the remote UE.
  • Step 809 After receiving a UE report message, and determining that the UE report message includes the SUCI, the AMF network element sends an identifier resolution request including the SUCI to the UDM network element, to request the UDM network element to resolve the SUCI.
  • Step 810 After receiving the identifier resolution request, the UDM network element obtains the SUCI in the identifier resolution request. The UDM network element determines a SUPI of the remote UE based on the SUCI of the remote UE.
  • Step 811 After determining the SUPI of the remote UE, the UDM network element feeds back an identifier resolution response to the AMF network element, where the identifier resolution response includes the SUPI of the remote UE.
  • Step 812. After receiving the identifier resolution response, the AMF network element obtains the SUPI of the remote UE from the identifier resolution response. The AMF network element sends an Nsmf message to the SMF network element, where the Nsmf message includes the SUPI of the remote UE and the N1 SM message.
  • the SMF network element may perform service control based on the SUPI and the received IP information, such as lawful interception and traffic statistics. This is not limited herein.
  • the relay UE may alternatively request, via the SMF network element, the UDM network element to resolve the SUCI. Specifically, the relay UE may send the UE report message to the SMF network element via the AMF network element. After receiving the UE report message, the SMF network element may request the UDM network element to resolve the SUCI.
  • the SMF network element may request the UDM network element to resolve the SUCI.
  • an embodiment of this application further provides a communication apparatus, configured to perform the method performed by the key management network element or the PKMF network element in the foregoing method embodiments.
  • a communication apparatus configured to perform the method performed by the key management network element or the PKMF network element in the foregoing method embodiments.
  • the apparatus includes a receiving unit 901, a processing unit 902, and a sending unit 903.
  • the receiving unit 901 is configured to receive a first key request from a first terminal device, where the first key request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device.
  • the processing unit 902 is configured to determine that the first key request includes the first identifier.
  • the sending unit 903 is configured to: after the processing unit 902 determines that the first key request includes the first identifier, send a first request to a unified data management network element, where the first request includes the first identifier.
  • the receiving unit 901 is further configured to receive a first response from the unified data management network element, where the first response includes a subscription permanent identifier SUPI of the second terminal device.
  • the processing unit 902 is further configured to perform an authorization check on the second terminal device based on the SUPI of the second terminal device.
  • the sending unit 903 is further configured to: after the authorization check performed by the processing unit 902 on the second terminal device succeeds, send a first key response to the first terminal device, where the first key response includes a secure communication parameter, and the secure communication parameter is a parameter required for establishing secure communication between the first terminal device and the second terminal device.
  • the first response and the first key response further include a GPSI of the second terminal device or the first identifier.
  • the first request is a secure communication parameter obtaining request
  • the first response is a secure communication parameter obtaining response
  • the sending unit 903 may notify the unified data management network element to delete a correspondence between the first identifier and the SUPI of the second terminal device. In a possible implementation, the sending unit 903 may further send a first indication to the unified data management network element, where the first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device.
  • an embodiment of this application further provides a communication apparatus, configured to perform the method performed by the unified data management network element or the UDM network element in the foregoing method embodiments.
  • a communication apparatus configured to perform the method performed by the unified data management network element or the UDM network element in the foregoing method embodiments.
  • the apparatus includes a receiving unit 1001, a processing unit 1002, and a sending unit 1003.
  • the receiving unit 1001 is configured to receive a first request from a key management network element, where the first request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device.
  • the processing unit 1002 is configured to determine that the first request includes the first identifier; and after determining that the first request includes the first identifier, obtain a SUPI of the second terminal device based on the first identifier.
  • the sending unit 1003 is configured to send a first response to the key management network element, where the first response includes the SUPI of the second terminal device.
  • the processing unit 1002 may obtain the SUPI of the second terminal device from a subscription identifier de-concealing network element based on the anonymous identifier of the second terminal device.
  • the processing unit 1002 may determine the SUPI of the second terminal device based on a stored correspondence between a SUPI and a temporary identifier of a terminal device and based on the temporary identifier of the second terminal device.
  • the processing unit 1002 may further allocate a temporary identifier to the second terminal device, and store a correspondence between the SUPI and the temporary identifier of the second terminal device. Subsequently, the sending unit 1003 may send the temporary identifier to the second terminal device via a proximity service network element.
  • the processing unit 1002 may further obtain, from the proximity service network element, a temporary identifier allocated by the proximity service network element to the second terminal device, and store a correspondence between the SUPI and the temporary identifier of the second terminal device.
  • the processing unit 1002 may store a correspondence between the first identifier and the SUPI of the second terminal device.
  • the receiving unit 1001 may receive a first indication from the key management network element.
  • the first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device.
  • the processing unit 1002 may further determine, based on an attribute of the second terminal device, that the correspondence between the first identifier and the SUPI of the second terminal device needs to be stored. In a possible implementation, the processing unit 1002 may delete, as notified by the key management network element, the correspondence between the first identifier and the SUPI of the second terminal device.
  • the processing unit 1002 may determine a GPSI of the second terminal device based on the SUPI of the second terminal device, and then include the GPSI of the second terminal device in the first response.
  • the receiving unit 1001 may further receive a subscriber identity resolution request from a session management network element.
  • the subscriber identity resolution request includes a second identifier, and the second identifier is one of the following: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device.
  • the processing unit 1002 determines the SUPI of the second terminal device based on the second identifier.
  • the sending unit 1003 sends a subscriber identity resolution response to the session management network element, where the subscriber identity resolution response includes the SUPI of the second terminal device.
  • the receiving unit 1001 may further receive an identifier resolution request from an access and mobility management network element.
  • the identifier resolution request includes a second identifier, and the second identifier is one of the following: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device.
  • the processing unit 1002 may determine the SUPI of the second terminal device based on the second identifier.
  • the sending unit 1003 sends an identifier resolution response to the access and mobility management network element, where the identifier resolution response includes the SUPI of the second terminal device.
  • the first request is a secure communication parameter obtaining request
  • the first response is a secure communication parameter obtaining response
  • the first response may include the first identifier.
  • an embodiment of this application further provides a communication apparatus, configured to perform the method performed by the session management network element or the SMF network element in the foregoing method embodiments.
  • a communication apparatus configured to perform the method performed by the session management network element or the SMF network element in the foregoing method embodiments.
  • the apparatus includes a receiving unit 1101, a processing unit 1102, and a sending unit 1103.
  • the receiving unit 1101 is configured to receive a UE report message from a first terminal device, where the UE report message includes a second identifier and IP information allocated by the first terminal device to a second terminal device.
  • the second identifier is one of the following: an anonymous identifier of the second terminal device, a temporary identifier of the second terminal device, or a GPSI of the second terminal device.
  • the processing unit 1102 is configured to determine that the UE report message includes the second identifier.
  • the sending unit 1103 is configured to: after the processing unit 1102 determines that the UE report message includes the second identifier, send a subscriber identity resolution request to a unified data management network element, where the subscriber identity resolution request includes the second identifier.
  • the receiving unit 1101 is further configured to receive a subscriber identity resolution response from the unified data management network element, where the subscriber identity resolution response includes a SUPI of the second terminal device.
  • the processing unit 1102 further performs service control on the second terminal device based on the SUPI and the IP information of the second terminal device.
  • an embodiment of this application further provides a communication apparatus, configured to perform the method performed by the access and mobility management network element or the AMF network element in the foregoing method embodiments.
  • a communication apparatus configured to perform the method performed by the access and mobility management network element or the AMF network element in the foregoing method embodiments.
  • the apparatus includes a receiving unit 1201, a processing unit 1202, and a sending unit 1203.
  • the receiving unit 1201 is configured to receive a UE report message from a first terminal device, where the UE report message includes a second identifier and IP information allocated by the first terminal device to a second terminal device.
  • the second identifier is one of the following: an anonymous identifier of the second terminal device, a temporary identifier of the second terminal device, or a GPSI of the second terminal device.
  • the processing unit 1202 is configured to determine that the UE report message includes the second identifier.
  • the sending unit 1203 is configured to: after the processing unit 1202 determines that the UE report message includes the second identifier, send an identifier resolution request to a unified data management network element, where the identifier resolution request includes a subscription permanent identifier SUPI of the second terminal device.
  • the receiving unit 1201 is further configured to receive an identifier resolution response from the unified data management network element, where the identifier resolution response includes the SUPI of the second terminal device.
  • the sending unit 1203 is further configured to send the SUPI and the IP information of the second terminal device to a session management network element.
  • an embodiment of this application further provides a communication apparatus, configured to perform the method performed by the first terminal device or the relay UE in the foregoing method embodiments.
  • a communication apparatus configured to perform the method performed by the first terminal device or the relay UE in the foregoing method embodiments.
  • the apparatus includes a receiving unit 1301, a processing unit 1302, and a sending unit 1303.
  • the processing unit 1302 is configured to determine that direct communication needs to be established with a second terminal device.
  • the sending unit 1303 is configured to: after the processing unit 1302 determines that direct communication needs to be established with the second terminal device, send a first key request to a key management network element.
  • the first key request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of the second terminal device.
  • the receiving unit 1301 is configured to receive a first key response from the key management network element, where the first key response includes a secure communication parameter.
  • the processing unit 1302 is further configured to establish secure communication with the second terminal device based on the secure communication parameter.
  • the first key response further includes a GPSI of the second terminal device or the first identifier.
  • division into the units is an example and is merely logical function division, and may be other division during actual implementation.
  • functional units in embodiments of this application may be integrated into one processor, may exist alone physically, or two or more units may be integrated into one module.
  • the foregoing integrated unit may be implemented in a form of hardware, or may be implemented in a form of a software functional module.
  • the integrated unit When the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, the integrated unit may be stored in a computer-readable storage medium. Based on such an understanding, the technical solutions of this application essentially, or the part contributing to the current technology, or all or some of the technical solutions may be implemented in a form of a software product.
  • the computer software product is stored in a storage medium and includes several instructions for instructing a terminal device (which may be a personal computer, a mobile phone, a network device, or the like) or a processor (processor) to perform all or some of the steps of the methods in embodiments of this application.
  • the storage medium includes any medium that can store program code, such as a USB flash drive, a removable hard disk, a read-only memory (read-only memory, ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disc.
  • program code such as a USB flash drive, a removable hard disk, a read-only memory (read-only memory, ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disc.
  • the key management network element, the unified data management network element, the session management network element, the access and mobility management network element, and the first terminal device each may be presented by integrating function modules.
  • the "module” herein may be an ASIC, a circuit, a processor that executes one or more software or firmware programs, a memory, an integrated logic circuit, and/or another component capable of providing the foregoing functions.
  • the key management network element, the unified data management network element, the session management network element, and the access and mobility management network element each may be in a form shown in FIG. 14 .
  • a communication apparatus 1400 shown in FIG. 14 includes at least one processor 1401 and a memory 1402, and optionally, may further include a communication interface 1403.
  • the memory 1402 may be a volatile memory, for example, a random access memory; or the memory may be a nonvolatile memory, for example, a read-only memory, a flash memory, a hard disk drive (hard disk drive, HDD), or a solid-state drive (solid-state drive, SSD); or the memory 1402 is any other medium that can be used to carry or store expected program code in a form of an instruction or a data structure and that can be accessed by a computer, but is not limited thereto.
  • the memory 1402 may be a combination of the foregoing memories.
  • a specific connection medium between the processor 1401 and the memory 1402 is not limited.
  • the memory 1402 and the processor 1401 are connected through a bus 1404.
  • the bus 1404 is represented by a bold line in the figure.
  • a connection manner between other components is described merely as an example and does not constitute any limitation.
  • the bus 1404 may be classified as an address bus, a data bus, a control bus, or the like. For ease of representation, only one thick line is used to represent the bus in FIG. 14 , but this does not mean that there is only one bus or only one type of bus.
  • the processor 1401 may have a data transceiver function, and can communicate with another device.
  • an independent data transceiver module for example, the communication interface 1403, may be disposed for data sending and receiving.
  • the processor 1401 may perform data transmission through the communication interface 1403.
  • the processor 1401 in FIG. 14 may invoke computer executable instructions stored in the memory 1402, so that the key management network element can perform the method performed by the key management network element or the PKMF network element in any one of the foregoing method embodiments.
  • functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 9 may be implemented by the processor 1401 in FIG. 14 by invoking the computer-executable instructions stored in the memory 1402.
  • functions/implementation processes of the processing unit in FIG. 9 may be implemented by the processor 1401 in FIG. 14 by invoking the computer-executable instructions stored in the memory 1402
  • functions/implementation processes of the sending unit and the receiving unit in FIG. 9 may be implemented by the communication interface 1403 in FIG. 14 .
  • the processor 1401 in FIG. 14 may invoke computer executable instructions stored in the memory 1402, so that the unified data management network element can perform the method performed by the unified data management network element or the UDM network element in any one of the foregoing method embodiments.
  • functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 10 may be implemented by the processor 1401 in FIG. 14 by invoking the computer-executable instructions stored in the memory 1402.
  • functions/implementation processes of the processing unit in FIG. 10 may be implemented by the processor 1401 in FIG. 14 by invoking the computer-executable instructions stored in the memory 1402
  • functions/implementation processes of the sending unit and the receiving unit in FIG. 10 may be implemented by the communication interface 1403 in FIG. 14 .
  • the processor 1401 in FIG. 14 may invoke computer executable instructions stored in the memory 1402, so that the session management network element can perform the method performed by the session management network element or the SMF network element in any one of the foregoing method embodiments.
  • functions/implementation processes of the receiving unit, the sending unit, and the processing unit in FIG. 11 may be implemented by the processor 1401 in FIG. 14 by invoking the computer executable instructions stored in the memory 1402.
  • functions/implementation processes of the processing unit in FIG. 11 may be implemented by the processor 1401 in FIG. 14 by invoking the computer executable instructions stored in the memory 1402
  • functions/implementation processes of the receiving unit and the sending unit in FIG. 11 may be implemented by the communication interface 1403 in FIG. 14 .
  • the processor 1401 in FIG. 14 may invoke computer executable instructions stored in the memory 1402, so that the access and mobility management network element can perform the method performed by the access and mobility management network element or the AMF network element in any one of the foregoing method embodiments.
  • functions/implementation processes of the receiving unit, the sending unit, and the processing unit in FIG. 12 may be implemented by the processor 1401 in FIG. 14 by invoking the computer executable instructions stored in the memory 1402.
  • functions/implementation processes of the processing unit in FIG. 12 may be implemented by the processor 1401 in FIG. 14 by invoking the computer executable instructions stored in the memory 1402
  • functions/implementation processes of the receiving unit and the sending unit in FIG. 12 may be implemented by the communication interface 1403 in FIG. 14 .
  • the key management network element, the unified data management network element, the session management network element, and the access and mobility management network element each may be in a form shown in FIG. 15 .
  • a communication apparatus 1500 shown in FIG. 15 includes at least one processor 1501 and a memory 1502, and optionally, may further include a transceiver 1503.
  • the processor 1501 and the memory 1502 are similar to the processor 1401 and the memory 1402. For details, refer to the foregoing content. Details are not described herein again.
  • a specific connection medium between the processor 1501 and the memory 1502 is not limited.
  • the memory 1502 and the processor 1501 are connected through a bus 1504.
  • the bus 1504 is represented by a bold line in the figure. A connection manner between other components is described merely as an example and does not constitute any limitation.
  • the bus 1504 may be classified as an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used to represent the bus in FIG. 15 , but this does not mean that there is only one bus or only one type of bus.
  • the processor 1501 may have a data transceiver function, and can communicate with another device.
  • an independent data transceiver module for example, the transceiver 1503, may be disposed for data sending and receiving.
  • the processor 1501 may perform data transmission by using the transceiver 1503.
  • the processor 1501 in FIG. 15 may invoke computer executable instructions stored in the memory 1502, so that the first terminal device can perform the method performed by the first terminal device or the relay UE in any one of the foregoing method embodiments.
  • functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 13 may be implemented by the processor 1501 in FIG. 15 by invoking the computer-executable instructions stored in the memory 1502.
  • functions/implementation processes of the processing unit in FIG. 13 may be implemented by the processor 1501 in FIG. 15 by invoking the computer-executable instructions stored in the memory 1502
  • functions/implementation processes of the sending unit and the receiving unit in FIG. 13 may be implemented by the transceiver 1503 in FIG. 15 .
  • this application may be provided as a method, a system, or a computer program product. Therefore, this application may use a form of a hardware-only embodiment, a software-only embodiment, or an embodiment with a combination of software and hardware. Moreover, this application may use a form of a computer program product that is implemented on one or more computer-usable storage media (including but not limited to a disk memory, a CD-ROM, an optical memory, and the like) that include computer usable program code.
  • a computer-usable storage media including but not limited to a disk memory, a CD-ROM, an optical memory, and the like
  • These computer program instructions may be provided for a general-purpose computer, a dedicated computer, an embedded processor, or a processor of another programmable data processing device to generate a machine, so that the instructions executed by a computer or the processor of the another programmable data processing device generate an apparatus for implementing a specific function in one or more processes in the flowcharts and/or in one or more blocks in the block diagrams.
  • These computer program instructions may alternatively be stored in a computer-readable memory that can indicate a computer or another programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory generate an artifact that includes an instruction apparatus.
  • the instruction apparatus implements a specific function in one or more processes in the flowcharts and/or in one or more blocks in the block diagrams.
  • These computer program instructions may alternatively be loaded onto a computer or another programmable data processing device, so that a series of operations and steps are performed on the computer or the another programmable device, to generate computer-implemented processing. Therefore, the instructions executed on the computer or the another programmable device provide steps for implementing a specified function in one or more processes in the flowcharts and/or in one or more blocks in the block diagrams.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)
  • Selective Calling Equipment (AREA)

Abstract

A method for obtaining an identifier of a terminal device, an apparatus, and a system are provided, to resolve a problem of user privacy exposure resulting from a transmission manner of a subscription permanent identifier. In the method, a key management network element receives, from a first terminal device, a first key request including a first identifier, where the first identifier is an anonymous identifier or a temporary identifier of a second terminal device. The key management network element sends, to a unified data management network element, a first request including the first identifier. The unified data management network element determines a SUPI of the second terminal device based on the first identifier, and sends, to the key management network element, a first response including the SUPI. After an authorization check performed on the second terminal device based on the SUPI succeeds, the key management network element sends a first key response to the first terminal device, where the first key response includes a secure communication parameter. The key management network element obtains the SUPI from the unified data management network element. This can effectively ensure security of the subscription permanent identifier of the second terminal device.

Description

    TECHNICAL FIELD
  • This application relates to the field of communication technologies, and in particular, to a method for obtaining an identifier of a terminal device, an apparatus, and a system.
    • BACKGROUND
  • Currently, device to device (device to device, D2D) communication allows direct communication between user equipments (user equipment, UE).
  • When a remote device (remote UE) is located outside coverage of a communication network, or quality of communication between the remote device and an access network device in a communication network is relatively poor, the remote device may establish, based on D2D communication, indirect communication with the communication network via a relay device (relay UE). To be specific, the remote device can obtain data from the communication network through communication between the remote device and the relay device, and interaction between the relay device and the communication network.
  • In a process in which the remote device establishes indirect communication with the communication network via the relay device, the relay device needs to first obtain an identifier of the remote device, and report the identifier to the communication network, so that the communication network can perform authentication and an authorization check based on the identifier of the remote device, or perform service control such as lawful interception based on the identifier of the remote device. In a 4th generation mobile communication technology (4th generation mobile communication technology, 4G) system, a remote device may provide a subscription permanent identifier of the remote device for a relay device over an air interface using plaintext. Further, the remote device sends the received subscription permanent identifier of the remote device to a communication network. However, directly sending the subscription permanent identifier over the air interface using plaintext results in user privacy exposure.
    • SUMMARY
  • This application provides a method for obtaining an identifier of a terminal device, an apparatus, and a system, to resolve a problem of user privacy exposure resulting from a transmission manner of a subscription permanent identifier. According to a first aspect, an embodiment of this application provides a method for obtaining an identifier of a terminal device. The method is performed by a key management network element, and the method includes: The key management network element receives a first key request from a first terminal device, where the first key request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device. The key management network element resolves the first key request. If determining that the key request includes the first identifier, the key management network element needs to determine a subscription permanent identifier of the second terminal device. The key management network element may send a first request to a unified data management network element, where the first request includes the first identifier. Subsequently, the key management network element may receive a first response from the unified data management network element, where the first response includes the SUPI of the second terminal device. Then, the key management network element may perform an authorization check on the second terminal device based on the SUPI of the second terminal device, and after the authorization check on the second terminal device succeeds, send a first key response to the first terminal device. The first key response includes a secure communication parameter, and the secure communication parameter is a parameter required for establishing secure communication between the first terminal device and the second terminal device.
  • In the foregoing method, the key management network element obtains the subscription permanent identifier of the second terminal device from the unified data management network element. The key management network element only needs to obtain the anonymous identifier or the temporary identifier of the second terminal device from the first terminal device, without a need to obtain the subscription permanent identifier of the second terminal device from the first terminal device. This can effectively ensure security of the subscription permanent identifier of the second terminal device, and further avoid user privacy exposure.
  • In a possible design, the first response and the first key response further include a GPSI of the second terminal device, or may include the first identifier. The first response and the first key response may further indicate the second terminal device by including the first identifier or the GPSI, to avoid user privacy exposure resulting from carrying the subscription permanent identifier.
  • In a possible design, the first request and the first response may be information in an existing interaction procedure between the key management network element and the unified data management network element. For example, the first request is a secure communication parameter obtaining request, and the first response is a secure communication parameter obtaining response. Alternatively, the first request and the first response may be new information in an existing interaction procedure between the key management network element and the unified data management network element. A manner of setting the first request and the first response is more flexible, so that an application range can be effectively extended.
  • In a possible design, after the authorization check performed on the second terminal device based on a second identifier fails, the key management network element may notify the first terminal device to refuse or terminate to serve the second terminal device, or may notify the unified data management network element to delete a correspondence between the first identifier and the SUPI of the second terminal device. The key management network element may notify, in a timely and convenient manner, the first terminal device or the unified data management network element for a corresponding operation.
  • In a possible design, the key management network element may further send a first indication to the unified data management network element, where the first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device. The key management network element indicates, by sending the first indication, the unified data management network element to store the correspondence between the first identifier and the SUPI of the second terminal device, so that another network element can obtain the SUPI of the second terminal device from the unified data management network element based on the first identifier.
  • According to a second aspect, an embodiment of this application provides a method for obtaining an identifier of a terminal device. The method is performed by a unified data management network element. In the method, the unified data management network element may receive a first request from a key management network element. The first request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device. After determining that the first request includes the first identifier, the unified data management network element may obtain a SUPI of the second terminal device based on the first identifier. Subsequently, the unified data management network element sends a first response to the key management network element. The first response includes the SUPI of the second terminal device.
  • In the foregoing description, the key management network element conveniently obtains the SUPI of the second terminal device by interacting with the unified data management network element.
  • In a possible design, when determining the SUPI of the second terminal device based on the anonymous identifier of the second terminal device, the unified data management network element may obtain the SUPI of the second terminal device from a subscription identifier de-concealing network element based on the anonymous identifier of the second terminal device. In this way, a manner in which the unified data management network element obtains the SUPI of the second terminal device is more convenient.
  • In a possible design, when determining the SUPI of the second terminal device based on the temporary identifier of the second terminal device, the unified data management network element may determine the SUPI of the second terminal device based on a stored correspondence between a SUPI and a temporary identifier of a terminal device and based on the temporary identifier of the second terminal device. The unified data management network element stores the correspondence between the temporary identifier and the SUPI of the terminal device, so that the SUPI of the second terminal device can be more conveniently provided for the key management network element.
  • In a possible design, before determining the SUPI of the second terminal device based on the temporary identifier of the second terminal device, the unified data management network element needs to first determine a temporary identifier allocated to the second terminal. The following two manners are introduced:
    • Manner 1: The unified data management network element may allocate a temporary identifier to the second terminal device, then send the temporary identifier to the second terminal device via a proximity service network element, and may further store a correspondence between the SUPI and the temporary identifier of the second terminal device.
    • Manner 2: The unified data management network element may alternatively obtain, from the proximity service network element, a temporary identifier allocated by the proximity service network element to the second terminal device, and store a correspondence between the SUPI and the temporary identifier of the second terminal device.
  • According to the foregoing method, the unified data management network element can determine, in a plurality of different manners, the temporary identifier allocated to the second terminal for different scenarios.
  • In a possible design, after obtaining the SUPI of the second terminal device based on the first identifier, the unified data management network element may store the correspondence between the first identifier and the SUPI of the second terminal device, so that another network element subsequently obtains the SUPI of the second terminal device from the unified data management network element based on the first identifier.
  • In a possible design, the unified data management network element may actively store the correspondence between the first identifier and the SUPI of the second terminal device. Alternatively, the unified data management network element may store the correspondence between the first identifier and the SUPI of the second terminal device under indication of the key management network element. For example, the unified data management network element receives a first indication from the key management network element, where the first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device. Subsequently, the unified data management network element stores the correspondence between the first identifier and the SUPI of the second terminal device. Alternatively, the unified data management network element may first determine whether the correspondence between the first identifier and the SUPI of the second terminal device needs to be stored, and then store the correspondence after determining that the correspondence between the first identifier and the SUPI of the second terminal device needs to be stored. For example, the unified data management network element determines, based on an attribute of the second terminal device, whether the correspondence between the first identifier and the SUPI of the second terminal device needs to be stored. There are a plurality of manners in which the unified data management network element determines to store the correspondence between the first identifier and the SUPI of the second terminal device, for different scenarios, thereby effectively extending an application scope.
  • In a possible design, after storing the correspondence between the first identifier and the SUPI of the second terminal device, the unified data management network element may further delete, as notified by the key management network, the correspondence between the first identifier and the SUPI of the second terminal device, to save storage space.
  • In a possible design, the first response may include the first identifier, or may include another identifier of the second terminal device. For example, the unified data management network element may further determine a GPSI of the second terminal device based on the SUPI of the second terminal device, and include the GPSI of the second terminal device in the first response. In addition to the SUPI of the second terminal device, the first response may further include another identifier of the second terminal device, so that more information about the second terminal device can be provided to the key management network element.
  • In a possible design, the unified data management network element may further provide the SUPI of the second terminal device to another network element. The another network element may be a session management network element or an access and mobility management network element. Descriptions are separately provided below:
    1. (1) The unified data management network element may receive a subscriber identity resolution request from the session management network element. The subscriber identity resolution request includes a second identifier, and the second identifier is one of the following: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device. Subsequently, the unified data management network element determines the SUPI of the second terminal device based on the second identifier. Then, the unified data management network element sends a subscriber identity resolution response to the session management network element. The subscriber identity resolution response includes the SUPI of the second terminal device.
    2. (2) The unified data management network element may alternatively receive an identifier resolution request from the access and mobility management network element. The identifier resolution request includes a second identifier, and the second identifier is one of the following: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device. Subsequently, the unified data management network element determines the SUPI of the second terminal device based on the second identifier. Then, the unified data management network element may send an identifier resolution response to the access and mobility management network element. The identifier resolution response includes the SUPI of the second terminal device.
  • In a possible design, the first request and the first response may be information in an existing interaction procedure between the key management network element and the unified data management network element. For example, the first request is a secure communication parameter obtaining request, and the first response is a secure communication parameter obtaining response. Alternatively, the first request and the first response may be new information in an existing interaction procedure between the key management network element and the unified data management network element. A manner of setting the first request and the first response is more flexible, so that an application range can be effectively extended.
  • In a possible design, the first response further includes the first identifier.
  • According to a third aspect, an embodiment of this application provides a method for obtaining an identifier of a terminal device. In the method, a session management network element may receive a UE report message from a first terminal device. The UE report message includes a second identifier and IP information allocated by the first terminal device to a second terminal device. The second identifier is one of the following: an anonymous identifier of the second terminal device, a temporary identifier of the second terminal device, or a GPSI of the second terminal device. The session management network element determines that the UE report message includes the second identifier and a SUPI of the second terminal device needs to be obtained. The session management network element may send a subscriber identity resolution request to a unified data management network element, where the subscriber identity resolution request includes the second identifier. Then, the session management network element receives a subscriber identity resolution response from the unified data management network element, where the subscriber identity resolution response includes the SUPI of the second terminal device. After obtaining the SUPI, the session management network element may perform service control on the second terminal device based on the SUPI and the IP information of the second terminal device.
  • In the foregoing method, the session management network element may obtain the subscription permanent identifier of the second terminal device from the unified data management network element. The session management network element only needs to obtain the anonymous identifier or the temporary identifier of the second terminal device from the first terminal device, without a need to obtain the subscription permanent identifier of the second terminal device from the first terminal device. This can effectively ensure security of the subscription permanent identifier of the second terminal device, and further avoid user privacy exposure.
  • According to a fourth aspect, an embodiment of this application provides a method for obtaining an identifier of a terminal device. The method is executed by an access and mobility management network element. In the method, the access and mobility management network element receives a UE report message from a first terminal device. The UE report message includes a second identifier and IP information allocated by the first terminal device to a second terminal device. The second identifier is one of the following: an anonymous identifier of the second terminal device, a temporary identifier of the second terminal device, or a generic public subscription identifier GPSI of the second terminal device. Subsequently, the access and mobility management network element determines that the UE report message includes the second identifier and needs to obtain a SUPI of the second terminal device. The access and mobility management network element may send an identifier resolution request to a unified data management network element, where the identifier resolution request includes the permanent subscriber identifier SUPI of the second terminal device. The access and mobility management network element receives an identifier resolution response from the unified data management network element, where the identifier resolution request includes the SUPI of the second terminal device. Then, the access and mobility management network element may send the SUPI and the IP information of the second terminal device to a session management network element.
  • In the foregoing method, the access and mobility management network element may obtain the subscription permanent identifier of the second terminal device from the unified data management network element, and then send the obtained subscription permanent identifier of the second terminal device to the session management network element. The first terminal device no longer needs to provide the subscription permanent identifier of the second terminal device. This can effectively ensure security of the subscription permanent identifier of the second terminal device, and further avoid user privacy exposure.
  • According to a fifth aspect, an embodiment of this application provides a method for obtaining an identifier of a terminal device. The method is performed by a first terminal device. In the method, after determining that direct communication needs to be established with a second terminal device, the first terminal device may send a first key request to a key management network element. The first key request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of the second terminal device. Subsequently, the first terminal device may receive a first key response from the key management network element, where the first key response includes a secure communication parameter. Then, the first terminal device establishes secure communication with the second terminal device based on the secure communication parameter.
  • In the foregoing method, the first terminal device may obtain, from the key management network element based on the first identifier, the secure communication parameter for establishing secure communication with the second terminal device, and the first terminal device no longer needs to provide the subscription permanent identifier of the second terminal device. This can effectively ensure security of the subscription permanent identifier of the second terminal device, and further avoid user privacy exposure.
  • In a possible design, the first key response further includes a GPSI of the second terminal device or the first identifier, indicating the second terminal device.
  • According to a sixth aspect, an embodiment of this application further provides a communication apparatus. The communication apparatus is used in a key management network element. For beneficial effects, refer to the description of the first aspect. Details are not described herein again. The apparatus has functions of implementing the behavior in the method example in the first aspect. The functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or the software includes one or more modules corresponding to the foregoing functions. In a possible design, a structure of the apparatus includes a receiving unit, a processing unit, and a sending unit. These units may perform corresponding functions in the method example in the first aspect. For details, refer to the detailed descriptions in the method example. Details are not described herein again. According to a seventh aspect, an embodiment of this application further provides a communication apparatus. The communication apparatus is used in a unified data management network element. For beneficial effects, refer to the description of the second aspect. Details are not described herein again. The apparatus has functions of implementing the behavior in the method example in the second aspect. The functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or the software includes one or more modules corresponding to the foregoing function. In a possible design, a structure of the apparatus includes a receiving unit, a processing unit, and a sending unit. These units may perform corresponding functions in the method example in the second aspect. For details, refer to the detailed descriptions in the method example. Details are not described herein again.
  • According to an eighth aspect, an embodiment of this application further provides a communication apparatus. The communication apparatus is used in a session management network element. For beneficial effects, refer to the description of the third aspect. Details are not described herein again. The apparatus has functions of implementing the behavior in the method example in the third aspect. The functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or the software includes one or more modules corresponding to the foregoing function. In a possible design, a structure of the apparatus includes a receiving unit, a processing unit, and a sending unit. These units may perform corresponding functions in the method example in the third aspect. For details, refer to the detailed descriptions in the method example. Details are not described herein again.
  • According to a ninth aspect, an embodiment of this application further provides a communication apparatus. The communication apparatus is used in an access and mobility management network element. For beneficial effects, refer to the description of the fourth aspect. Details are not described herein again. The apparatus has functions of implementing the behavior in the method example in the fourth aspect. The functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or the software includes one or more modules corresponding to the foregoing function. In a possible design, a structure of the apparatus includes a receiving unit, a processing unit, and a sending unit. These units may perform corresponding functions in the method example in the fourth aspect. For details, refer to the detailed descriptions in the method example. Details are not described herein again.
  • According to a tenth aspect, an embodiment of this application further provides a communication apparatus. The communication apparatus is used in a first terminal device. For beneficial effects, refer to the description of the fifth aspect. Details are not described herein again. The apparatus has functions of implementing the behavior in the method example in the fifth aspect. The functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or the software includes one or more modules corresponding to the foregoing function. In a possible design, a structure of the apparatus includes a receiving unit, a processing unit, and a sending unit. These units may perform corresponding functions in the method example in the fifth aspect. For details, refer to the detailed descriptions in the method example. Details are not described herein again.
  • According to an eleventh aspect, an embodiment of this application further provides a communication apparatus. The communication apparatus is used in a key management network element. For beneficial effects, refer to the description of the first aspect. Details are not described herein again. A structure of the communication apparatus includes a processor and a memory. The processor is configured to support the key management network element in performing corresponding functions in the method in the first aspect. The memory is coupled to the processor, and stores program instructions and data that are necessary for the communication apparatus. The structure of the communication apparatus further includes a communication interface for communicating with another device.
  • According to a twelfth aspect, an embodiment of this application further provides a communication apparatus. The communication apparatus is used in a unified data management network element. For beneficial effects, refer to the description of the second aspect. Details are not described herein again. A structure of the communication apparatus includes a processor and a memory. The processor is configured to support the unified data management network element in performing corresponding functions in the method in the second aspect. The memory is coupled to the processor, and stores program instructions and data that are necessary for the communication apparatus. The structure of the communication apparatus further includes a communication interface for communicating with another device. According to a thirteenth aspect, an embodiment of this application further provides a communication apparatus. The communication apparatus is used in a session management network element. For beneficial effects, refer to the description of the third aspect. Details are not described herein again. A structure of the communication apparatus includes a processor and a memory. The processor is configured to support the session management network element in performing corresponding functions in the method in the third aspect. The memory is coupled to the processor, and stores program instructions and data that are necessary for the communication apparatus. The structure of the communication apparatus further includes a communication interface for communicating with another device. According to a fourteenth aspect, an embodiment of this application further provides a communication apparatus. The communication apparatus is used in an access and mobility management network element. For beneficial effects, refer to the description of the fourth aspect. Details are not described herein again. A structure of the communication apparatus includes a processor and a memory. The processor is configured to support the access and mobility management network element in performing corresponding functions in the method in the fourth aspect. The memory is coupled to the processor, and stores program instructions and data that are necessary for the communication apparatus. The structure of the communication apparatus further includes a communication interface for communicating with another device.
  • According to a fifteenth aspect, an embodiment of this application further provides a communication apparatus. The communication apparatus is used in a first terminal device. For beneficial effects, refer to the description of the first aspect. Details are not described herein again. A structure of the communication apparatus includes a processor and a memory. The processor is configured to support the first terminal device in performing corresponding functions in the method in the first aspect. The memory is coupled to the processor, and stores program instructions and data that are necessary for the communication apparatus. The structure of the communication apparatus further includes a transceiver for communicating with another device.
  • According to a sixteenth aspect, an embodiment of this application further provides a communication system. For beneficial effects, refer to the descriptions in the foregoing aspects. Details are not described herein again. The communication system includes a key management network element and a unified data management network element. The key management network element is configured to receive a first key request from a first terminal device, where the first key request includes a first identifier; and send a first request to the unified data management network element after determining that the first key request includes the first identifier, where the first request includes the first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device.
  • The unified data management network element is configured to receive the first request; after determining that the first request includes the first identifier, determine a subscription permanent identifier SUPI of the second terminal device based on the first identifier; and send a first response to the key management network element, where the first response includes the SUPI of the second terminal device.
  • The key management network element is further configured to receive the first response; perform an authorization check on the second terminal device based on the SUPI of the second terminal device; and after the authorization check on the second terminal device succeeds, send a first key response to the first terminal device. The first key response includes a secure communication parameter, and the secure communication parameter is used by the first terminal device to establish secure communication with the second terminal device.
  • In a possible design, the first response and the first key response further include a GPSI of the second terminal device. The unified data management network element is further configured to determine the GPSI of the second terminal device based on the SUPI of the second terminal device.
  • In a possible design, the first response and the first key response further include the first identifier. The unified data management network element may store a correspondence between the first identifier and the SUPI of the second terminal device.
  • In a possible design, the key management network sends a first indication to the unified data management network element, where the first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device. The unified data management network element is further configured to receive the first indication, and then store the correspondence between the first identifier and the SUPI of the second terminal device. In a possible design, after the authorization check performed on the second terminal device fails, the key management network element notifies the unified data management network element to delete the correspondence between the first identifier and the SUPI of the second terminal device.
  • The unified data management network element is further configured to delete, as notified by the key management network element, the correspondence between the first identifier and the SUPI of the second terminal device.
  • In a possible design, when determining the SUPI of the second terminal device based on the anonymous identifier of the second terminal device, the unified data management network element obtains the SUPI of the second terminal device from a subscription identifier de-concealing network element based on the anonymous identifier of the second terminal device.
  • In a possible design, when determining the SUPI of the second terminal device based on the temporary identifier of the second terminal device, the unified data management network element determines the SUPI of the second terminal device based on a stored correspondence between a SUPI and a temporary identifier of a terminal device and based on the temporary identifier of the second terminal device.
  • In a possible design, before determining the SUPI of the second terminal device based on the temporary identifier of the second terminal device, the unified data management network element may allocate the temporary identifier to the second terminal device, send the temporary identifier to the second terminal device via a proximity service network element, and store a correspondence between the SUPI and the temporary identifier of the second terminal device. Alternatively, the unified data management network element may obtain, from a proximity service network element, the temporary identifier allocated by the proximity service network element to the second terminal device, and store a correspondence between the SUPI and the temporary identifier of the second terminal device.
  • In a possible design, the system further includes a session management network element.
  • The session management network element is configured to receive a UE report message from the first terminal device, where the UE report message includes a second identifier and IP information allocated by the first terminal device to the second terminal device, and the second identifier is one of the following: the anonymous identifier, the temporary identifier, or the GPSI; and after determining that the UE report message includes the second identifier, send a subscriber identity resolution request to the unified data management network element, where the subscriber identity resolution request includes the second identifier.
  • The unified data management network element is further configured to receive the subscriber identity resolution request, determine the SUPI of the second terminal device based on the second identifier, and send a subscriber identity resolution response to the session management network element, where the subscriber identity resolution response includes the SUPI of the second terminal device.
  • The session management network element is further configured to receive the subscriber identity resolution response, and perform service control on the second terminal device based on the SUPI of the second terminal device and the IP information.
  • In a possible design, the system further includes an access and mobility management network element.
  • The access and mobility management network element is configured to receive the UE report message from the first terminal device, where the UE report message includes the second identifier and the IP information allocated by the first terminal device to the second terminal device, and the second identifier is one of the following: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device; and send an identifier resolution request to the unified data management network element, where the identifier resolution request includes the second identifier.
  • The unified data management network element is further configured to receive the identifier resolution request, determine the SUPI of the second terminal device based on the second identifier, and send an identifier resolution response to the access and mobility management network element, where the identifier resolution response includes the SUPI of the second terminal device.
  • The access and mobility management network element is further configured to receive the identifier resolution response, and send the SUPI of the second terminal device and the IP information to the session management network element.
  • In a possible design, the system further includes the first terminal device.
  • The first terminal device is configured to send the first key request to the key management network element, receive the first key response from the key management network element, and after establishing secure communication with the second terminal device based on the secure communication parameter, send the UE report message to the session management network element via the access and mobility management network element.
  • In a possible design, the system further includes the proximity service network element. The proximity service network element is configured to allocate the temporary identifier to the second terminal device, and send the temporary identifier to the unified data management network element.
  • According to a seventeenth aspect, this application further provides a computer-readable storage medium. The computer-readable storage medium stores instructions. When the instructions are run on a computer, the computer is enabled to perform the method in each of the foregoing aspects.
  • According to an eighteenth aspect, this application further provides a computer program product including instructions. When the computer program product runs on a computer, the computer is enabled to perform the method in each of the foregoing aspects.
  • According to a nineteenth aspect, this application further provides a computer chip. The chip is connected to a memory. The chip is configured to read and execute a software program stored in the memory, to perform the method in each of the foregoing aspects.
    • BRIEF DESCRIPTION OF DRAWINGS
    • FIG. 1 is an architectural diagram of a system according to an embodiment of this application;
    • FIG. 2 is a schematic diagram of a method for obtaining an identifier of a terminal device according to an embodiment of this application;
    • FIG. 3A and FIG. 3B are a schematic diagram of a first method for obtaining an identifier of a terminal device according to an embodiment of this application;
    • FIG. 4A and FIG. 4B are a schematic diagram of a second method for obtaining an identifier of a terminal device according to an embodiment of this application;
    • FIG. 5A and FIG. 5B are a schematic diagram of a third method for obtaining an identifier of a terminal device according to an embodiment of this application;
    • FIG. 6A to FIG. 6C are a schematic diagram of a fourth method for obtaining an identifier of a terminal device according to an embodiment of this application;
    • FIG. 7A and FIG. 7B are a schematic diagram of a fifth method for obtaining an identifier of a terminal device according to an embodiment of this application;
    • FIG. 8A and FIG. 8B are a schematic diagram of a sixth method for obtaining an identifier of a terminal device according to an embodiment of this application; and
    • FIG. 9 to FIG. 15 are schematic diagrams of structures of communication apparatuses according to embodiments of this application.
    DESCRIPTION OF EMBODIMENTS
  • FIG. 1 is a schematic diagram of a specific network architecture to which this application is applicable. The network architecture is a network architecture of a 5G system. A network element in the 5G architecture includes a terminal device (user equipment, UE). The network architecture further includes a radio access network (radio access network, RAN), an access and mobility management function (access and mobility management function, AMF) network element, a session management function (session management function, SMF) network element, a user plane function (user plane function, UPF) network element, a unified data management (unified data management, UDM) network element, an application function (application function, AF) network element, a data network (data network, DN), and the like.
  • The terminal device is a device having a wireless transceiver function, and may be deployed on land, including an indoor or outdoor device, a handheld device, or an in-vehicle device; or may be deployed on water (for example, on a ship); or may be deployed in the air (for example, on an airplane, a balloon, or a satellite). The terminal device may be a mobile phone (mobile phone), a tablet computer (pad), a computer having the wireless transceiver function, a virtual reality (virtual reality, VR) terminal, an augmented reality (augmented reality, AR) terminal, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in telemedicine (remote medical), a wireless terminal in a smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in a smart city (smart city), a wireless terminal in a smart home (smart home), or the like. In embodiments of this application, there may be two types of terminal devices: remote UE (for example, a second terminal device) and relay UE (for example, a first terminal device). The remote UE is UE communicating with a data network via the relay UE. The relay UE is UE capable of directly communicating with the data network.
  • In embodiments of this application, the remote UE may send an anonymous identifier or an allocated temporary identifier of the remote UE to the relay UE, and the relay UE may send, to a PKMF network element, the anonymous identifier or the allocated temporary identifier sent by the remote UE.
  • A main function of the RAN is to control a user to wirelessly access a mobile communication network. The RAN is a part of a mobile communication system. The RAN implements a radio access technology. Conceptually, the RAN resides between a device (for example, a mobile phone, a computer, or any remote controller) and a core network, and provides a connection between the device and the core network.
  • The AMF network element is responsible for access management and mobility management of a terminal. In actual application, the AMF network element includes a mobility management function of an MME in an LTE network architecture, and further includes an access management function.
  • The SMF network element is responsible for session management such as user session establishment.
  • The UPF network element is a user-plane function network element, and is mainly responsible for connecting to an external network. The UPF network element includes related functions of a serving gateway (serving gateway, SGW) and a public data network gateway (public data network gateway, PDN-GW) in LTE.
  • The DN is a network responsible for providing services for the terminal. For example, some DNs provide a network access function for the terminal, and some other DNs provide a text messaging function for the terminal.
  • The UDM network element may store subscription information of a user, and implement a function similar to that of an HSS in 4G. In embodiments of this application, the UDM network element can determine a subscription permanent identifier (subscription permanent identifier, SUPI) of the terminal device based on the anonymous identifier or the temporary identifier of the remote UE.
  • The AF network element may be a third-party application control platform, or may be an operator-specific device. The AF network element may provide services for a plurality of application servers.
  • Although not shown, a core network element further includes a proximity-based services key management function (proximity-based services key management function, PKMF) network element, a subscription identifier de-concealing function (subscription identifier de-concealing function, SIDF) network element, a proximity-based services (proximity-based Services, ProSe) network element, a unified data repository (unified data repository, UDR) network element, and a bootstrapping server function (bootstrapping server function, BSF) network element.
  • The PKMF network element is configured to manage a key for UE in ProSe communication. The PKMF network element may be deployed independently, or may be co-deployed with another network element. For example, the PKMF network element may be co-deployed with the ProSe network element.
  • In embodiments of this application, the SIDF network element is capable of decrypting a SUCI to obtain a SUPI. The SIDF network element may be deployed independently, or may be co-deployed with another network element. For example, the SIDF network element may be co-deployed with the UDM network element.
  • The ProSe network element supports network-related actions for ProSe. The ProSe network element has the following functions: a direct provisioning function and a direct discovery name management function. The direct provisioning function is used to provide UE with necessary parameters, for example, a temporary identifier. The direct discovery name management function is used for opening ProSe direct discovery to allocate ProSe application codes. In embodiments of this application, the ProSe network element may allocate a temporary identifier to the UE, notify the UE of the allocated temporary identifier, and may send, to the UDM network element, the temporary identifier that is allocated to the UE.
  • The UDR network element is mainly configured to store user-related subscription data, policy data, structured data used for exposure, and application data.
  • In embodiments of this application, the BSF network element can provide, to the PKMF network element, a secure communication parameter required for establishing secure communication between the relay UE and the remote UE. In embodiments of this application, a key management network element may receive, from a first terminal device, a first key request including a first identifier, where the first identifier is an anonymous identifier or a temporary identifier of a second terminal device. After determining that the first key request includes the first identifier, the key management network element may request, based on the first identifier, to obtain a subscription permanent identifier of the second terminal device from a unified data management network element. Then, the key management network element may perform an authorization check on the second terminal device based on the subscription permanent identifier of the second terminal device. After the authorization check succeeds, the key management network element may send, to the first terminal device, a secure communication parameter for establishing secure communication. In embodiments of this application, the first terminal device no longer needs to provide the subscription permanent identifier of the second terminal device to the key management network element. The key management network element may obtain the subscription permanent identifier of the second terminal device from the unified data management network element for authorization check, ensuring security of the subscription permanent identifier of the second terminal device.
  • The following describes a method for obtaining an identifier of a terminal device according to an embodiment of this application with reference to the accompanying drawings. Refer to FIG. 2. The method includes the following steps: Step 201. A key management network element receives a first key request from a first terminal device, where the first key request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device.
  • Step 202. The key management network element determines that the first key request includes the first identifier. After receiving the first key request, the key management network element resolves the first key request. After determining that the first key request includes the first identifier, the key management network element obtains a subscription permanent identifier of the second terminal device by performing step 203.
  • Step 203. The key management network element sends a first request to a unified data management network element, where the first request includes the first identifier.
  • Step 204. The unified data management network element receives the first request from the key management network element, and obtains the subscription permanent identifier of the second terminal device based on the first identifier.
  • Step 205. The unified data management network element sends a first response to the key management network element, where the first response includes the subscription permanent identifier of the second terminal device.
  • Step 206. The key management network element performs an authorization check on the second terminal device based on the subscription permanent identifier of the second terminal device.
  • Step 207. After the authorization check on the second terminal device succeeds, the key management network element may send a first key response to the first terminal device, where the first key response includes a secure communication parameter.
  • When the second terminal device needs to communicate with a data network, the second terminal device may initiate a direct communication request to the first terminal device. The direct communication request may include the anonymous identifier or the temporary identifier of the second terminal device.
  • The anonymous identifier or the temporary identifier is an identifier pre-allocated to the second terminal device. The anonymous identifier may be a permanent identifier concealing a terminal device. Only a specific network element can obtain, based on the anonymous identifier, information about the terminal device concealing in the anonymous identifier. For example, the anonymous identifier may be a subscription concealed identifier (subscription concealed identifier, SUCI), and the SUCI is a privacy preserving identifier containing the subscription permanent identifier (subscription permanent identifier, SUPI).
  • In this embodiment of this application, the temporary identifier may be a short-validity-period identifier that is allocated by a proximity service network element (such as a ProSe network element) or the unified data management network element to the second terminal device.
  • For example, the proximity service network element may send the temporary identifier to the second terminal device in a registration process of the second terminal device. Specifically, the proximity service network element may allocate the temporary identifier to the second terminal device when receiving a registration request sent by the second terminal device. The proximity service network element sends the registration request response message including the temporary identifier to the second terminal device. After allocating the temporary identifier to the second terminal device, the proximity service network element may send the temporary identifier of the second terminal device to the unified data management network element. After receiving the temporary identifier of the second terminal device, the unified data management network element may locally store a correspondence between the temporary identifier and the subscription permanent identifier of the second terminal device.
  • In another example, the unified data management network element may alternatively allocate the temporary identifier to the second terminal device in a registration process of the second terminal device. After allocating the temporary identifier to the second terminal device, the unified data management network element may locally store a correspondence between the temporary identifier and the subscription permanent identifier of the second terminal device. The unified data management network element may further send the temporary identifier of the second terminal device to the proximity service network element. For example, the proximity service network element sends the received temporary identifier to the second terminal device.
  • It should be noted that the proximity service network element or the unified data management network element may periodically update the temporary identifier of the second terminal device. After updating the temporary identifier of the second terminal device, the proximity service network element or the unified data management network element may send an updated temporary identifier of the second terminal device to the second terminal device. If the proximity service network element updates the temporary identifier of the second terminal device, the proximity service network element may send the updated temporary identifier of the second terminal device to the unified data management network element, so that the unified data management network element updates a locally stored temporary identifier of the second terminal device.
  • After receiving the direct communication request, to determine whether the second terminal device is authorized to communicate via the first terminal device, the first terminal device may perform step 201 of sending the first key request to the key management network element, to request the key management network element to perform an authorization check on the first terminal device.
  • The key management network element resolves the first key request. If the key management network element determines that an identifier included in the first key request is the anonymous identifier or the temporary identifier of the second terminal device, the key management network element cannot perform an authorization check on the second terminal device based on the anonymous identifier or the temporary identifier of the second terminal device. The key management network element may perform step 203 of sending the first request including the first identifier, to request to obtain the subscription permanent identifier of the second terminal device from the unified data management network element.
  • After receiving the first request, the unified data management network element may determine the subscription permanent identifier of the second terminal device based on the anonymous identifier or the temporary identifier of the second terminal device, and feed back the first response including the subscription permanent identifier of the second terminal device to the key management network element.
  • The first request and the first response may be information in an existing interaction procedure between the key management network element and the unified data management network element.
  • For example, the first request may be a secure communication parameter obtaining request. The secure communication parameter obtaining request requests, from the unified data management network element, to obtain a secure communication parameter required for establishing secure communication between the first terminal device and the second terminal device. The key management network element may carry the anonymous identifier or the temporary identifier of the second terminal device in the secure communication parameter obtaining request. The secure communication parameter obtaining request further requests to obtain the subscription permanent identifier of the second terminal device from the unified data management network element.
  • Correspondingly, the first response is a secure communication parameter obtaining response. The secure communication parameter obtaining response includes the secure communication parameter required for establishing secure communication between the first terminal device and the second terminal device and the subscription permanent identifier of the second terminal device.
  • It should be noted that the foregoing description is provided only by using an example in which the first request is the secure communication parameter obtaining request and the first response is the secure communication parameter obtaining response. Types of the first request and the first response are not limited in this embodiment of this application. The first request and the first response may alternatively be other information in the existing interaction procedure between the key management network element and the unified data management network element. Alternatively, the first request and the first response may be new information in the interaction procedure between the key management network element and the unified data management network element, which are dedicated to request to obtain the subscription permanent identifier of the second terminal device. For example, the first request is a first subscriber identity resolution request, and the first response is a first subscriber identity resolution response.
  • The following describes a manner in which the unified data management network element determines the subscription permanent identifier of the second terminal device based on the anonymous identifier or the temporary identifier of the second terminal device.
  • 1. The unified data management network element determines the subscription permanent identifier of the second terminal device based on the anonymous identifier of the second terminal device.
  • The unified data management network element locally stores a correspondence between the anonymous identifier and the subscription permanent identifier of the second terminal device. The unified data management network element may determine the subscription permanent identifier of the second terminal device based on the stored correspondence and the anonymous identifier of the second terminal device.
  • The unified data management network element may alternatively obtain the subscription permanent identifier of the second terminal device from another network element based on the anonymous identifier of the second terminal device. The another network element may be a subscription identifier de-concealing function network element or a unified data repository network element.
  • After obtaining the subscription permanent identifier of the second terminal device from another network element, the unified data management network element may directly store the correspondence between the anonymous identifier and the subscription permanent identifier of the second terminal device. Alternatively, the unified data management network element may first determine an attribute of the second terminal device, and determine, based on the attribute of the second terminal device, whether to store the correspondence between the anonymous identifier and the subscription permanent identifier of the second terminal device.
  • For example, the unified data management network element may query for subscription information of the second terminal device based on the subscription permanent identifier of the second terminal device, to determine whether the second terminal device is a commercial (commercial) subscriber. If the second terminal device is a commercial subscriber, the unified data management network element may store the correspondence. If the second terminal device is not a commercial subscriber, for example, the second terminal device is a public safety (mission critical) subscriber, the unified data management network element does not store the correspondence.
  • In the foregoing description, the unified data management network element may actively store the correspondence. Certainly, in actual application, the unified data management network element may alternatively store the correspondence under indication of the key management network element.
  • For example, the key management network element may send a first indication to the unified data management network element. The first indication indicates the unified data management network element to store the correspondence between the anonymous identifier and the subscription permanent identifier of the second terminal device. A manner and a time for sending the first indication by the key management network are not limited in this application. The key management network element may separately send the first indication to the unified data management network element. For example, the key management network element may send the first indication to the unified data management network element in advance, or the key management network element may send the first indication to the unified data management network element after sending the first request, or the key management network element may send the first indication after receiving the first response. Alternatively, the key management network element may include the first indication in a message that needs to be sent to the unified data management network element. For example, the key management network element may include the first indication in the first request.
  • 2. The unified data management network element determines the subscription permanent identifier of the second terminal device based on the temporary identifier of the second terminal device.
  • The unified data management network element locally stores the correspondence between the temporary identifier and the subscription permanent identifier of the second terminal device. The unified data management network element may determine the subscription permanent identifier of the second terminal device based on the stored correspondence and the temporary identifier of the second terminal device.
  • The unified data management network element may alternatively store the correspondence between the temporary identifier and the subscription permanent identifier of the second terminal device to another network element, for example, a unified data repository network element. The unified data management network element may obtain the correspondence from the another network element, and then determine the subscription permanent identifier of the second terminal device based on the temporary identifier of the second terminal device.
  • Optionally, after obtaining the subscription permanent identifier of the second terminal device, the unified data management network element may further determine a generic public subscription identifier (generic public subscription identifier, GPSI) of the second terminal device.
  • A manner in which the unified data management network element determines the generic public subscription identifier of the second terminal device based on the subscription permanent identifier of the second terminal device is similar to the manner in which the unified data management network element determines the subscription permanent identifier of the second terminal device based on the first identifier. For details, refer to the foregoing content. Details are not described herein again.
  • After receiving the first response from the unified data management network element and obtaining the subscription permanent identifier of the second terminal device, the key management network element may perform an authorization check on the second terminal device based on the subscription permanent identifier of the second terminal device.
  • The key management network element may store an identifier set. Identifiers in the identifier set are subscription permanent identifiers of terminal devices that can directly communicate with the first terminal device. In other words, the terminal devices indicated by the subscription permanent identifiers in the identifier set can establish a connection to a communication system for data exchange via the first terminal device, and is authorized to communicate via the first terminal device.
  • The key management network element may perform an authorization check on the second terminal device based on the identifier set and the subscription permanent identifier of the second terminal device. In other words, the key management center determines whether the subscription permanent identifier of the second terminal device is an identifier in the identifier set.
  • When the subscription permanent identifier of the second terminal device is an identifier in the identifier set, the authorization check performed by the key management network element on the second terminal device succeeds.
  • If the first response is the secure communication parameter obtaining response, the key management network element may directly perform step 207.
  • If the first response is the first subscriber identity resolution response, after the authorization check performed by the key management network element on the second terminal device succeeds, the key management network element may send the secure communication parameter obtaining request to the unified data management network element, obtain a secure communication parameter from the unified data management network element, and then perform step 207. The first key response may further include the first identifier and the generic public subscription identifier of the second terminal device. The second terminal device may be indicated using the first identifier or the generic public subscription identifier. In other words, the secure communication parameter included in the first key response is a secure communication parameter required for establishing secure communication with the second terminal device. Optionally, the key management network element interacts with the unified data management network element to obtain the subscription permanent identifier of the second terminal device. After the authorization check performed by the key management network element on the second terminal device succeeds, the key management network element may alternatively interact with a bootstrapping server function network element (B SF network element) based on the subscription permanent identifier of the second terminal device, to obtain the secure communication parameter. When the subscription permanent identifier of the second terminal device is not an identifier in the identifier set, the authorization check performed by the key management network element on the second terminal device fails, and the key management network element may send a second indication to the first terminal device. The second indication indicates that the authorization check performed on the second terminal device fails. After receiving the second indication, the first terminal device may terminate or refuse to communicate with the second terminal device, not to serve the second terminal device.
  • The key management network element may further notify the unified data management network element to delete the correspondence between the anonymous identifier and the subscription permanent identifier of the second terminal device. The unified data management network element deletes, as notified by the key management network element, the stored correspondence between the anonymous identifier and the subscription permanent identifier of the second terminal device.
  • The authorization check performed by the key management network element on the second terminal device succeeds. After receiving the first key response, the first terminal device may establish secure communication with the second terminal device based on the secure communication parameter included in the first key response. In a process of establishing the secure communication, the first terminal device may send a direct security mode command to the second terminal device. The direct security mode command includes key-related information, and the key-related information is determined based on the secure communication parameter (for example, the secure communication parameter may include the key-related information). After receiving the direct security mode command, the second terminal device may generate a security key based on the key-related information. The security key may be used for encryption and/or integrity protecting data exchanged between the second terminal device and the first terminal device. After generating the security key, the second terminal device sends a direct security mode complete message to the first terminal device, to notify the first terminal device that a direct security mode is completed.
  • After the first terminal device establishes secure communication with the second terminal device, the first terminal device may send a direct communication response to the second terminal device in response to the direct communication request sent by the second terminal device.
  • The first terminal device may allocate an Internet Protocol (Internet Protocol, IP) address to the second terminal device. The IP address is used by the second terminal device for data communication with a data network via the first terminal device. The IP address may be an Internet Protocol version 6 (internet protocol version 6, IPv6) prefix or an IPv4 address.
  • A process in which the second terminal device performs, based on the IP address, data communication with the data network via the first terminal device is as follows: The second terminal device performs data encapsulation using an IP address (for example, the IPv6 prefix or the IPv4 address) allocated by the first terminal device to the second terminal device, to generate a data packet, and sends the data packet to the first terminal device.
  • For a data packet generated through encapsulation using the IPv4 address, after receiving the data packet, the first terminal device translates the IPv4 address of the data packet into an IPv4 address of a PDU session (the IPv4 address of the PDU session is assigned by a network side to the first terminal device). The PDU session is a PDU session for a relay service. The first terminal device sends the data packet with the translated IPv4 address through a specific port. The data packet further includes a port number of the specific port. The specific port is allocated by the first terminal device for transmission of the data packet of the second terminal device.
  • For a data packet generated through encapsulation using the IPv6 prefix, the first terminal device may directly send the data packet to a PDU session.
  • When receiving, from the data network, a data packet that needs to be sent to the second terminal device, and resolving an IP address of the data packet or a port number of the data packet, the first terminal device determines that the data packet is the data packet that needs to be sent to the second terminal device. The first terminal device sends the data packet to the second terminal device. For the data packet generated through encapsulation using the IPv4 address, the first terminal device determines the second terminal device based on the port number of the data packet.
  • After assigning the IP address to the second terminal device, the first terminal device may send, to a session management network element, a UE report message including IP information of the second terminal device, so that the session management network element can perform service control based on the IP information, such as lawful interception and traffic statistics.
  • If the IP address assigned by the first terminal device to the second terminal device is the IPv6 prefix, the IP information is the IPv6 prefix.
  • If the IP address assigned by the first terminal device to the second terminal device is the IPv4 address, because the first terminal device generally needs to assign, to the second terminal device, a port number for transmission of data packets, the first terminal device subsequently determines, based on the port number included in the data packet, that the data packet is from the second terminal device, and the IP information may be a port number range assigned by the first terminal device to the second terminal device.
  • The UE report message may further include a second identifier. The second identifier may be any one of the following identifiers for identifying the second terminal device: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, and the generic public subscription identifier of the second terminal device. The second identifier in the UE report message may be obtained by the first terminal device from the key management network element, or may be obtained from the second terminal device. After receiving the UE report message, the session management network element determines that the UE report message includes the second identifier. To determine a real identity of the second terminal device, the session management network element may request the subscription permanent identifier of the second terminal device from the unified data management network element.
  • For example, the session management network element may send a second subscriber identity resolution request to the unified data management network element. The second subscriber identity resolution request includes the second identifier. After receiving the second subscriber identity resolution request, the unified data management network element determines the subscription permanent identifier of the second terminal device based on the second identifier, and sends, to the session management network element, a second subscriber identity resolution response including the subscription permanent identifier of the second terminal device. After receiving the second subscriber identity resolution response, the session management network element obtains the subscription permanent identifier of the second terminal device.
  • For a manner in which the unified data management network element determines the subscription permanent identifier of the second terminal device based on the second identifier, refer to the foregoing description. Details are not described herein again.
  • It should be noted that in this embodiment of this application, the second identifier may alternatively be the subscription permanent identifier of the second terminal device. In this case, the session management network element does not need to obtain the subscription permanent identifier from the unified data management network element, and may directly perform service control based on the IP information, such as lawful interception and traffic statistics. In the foregoing description, the session management network element needs to interact with the unified data management network element to obtain the subscription permanent identifier of the second terminal device. In a possible implementation, an access and mobility management network element may also interact with the unified data management network element to obtain the subscription permanent identifier of the second terminal device, and then sends the obtained subscription permanent identifier of the second terminal device to the session management network element.
  • For example, the first terminal device may send an N1 message to the access and mobility management network element, where the N1 message includes a second identifier and an N1 SM message, and the NI SM message includes IP information. After receiving the second identifier, the access and mobility management network element may initiate an identifier resolution procedure, and send an identifier resolution request including the second identifier to the unified data management network element. After receiving the identifier resolution request, the unified data management network element may determine the subscription permanent identifier of the second terminal device based on the second identifier. Subsequently, the unified data management network element sends an identifier resolution response including the subscription permanent identifier of the second terminal device to the access and mobility management network element. The access and mobility management network element sends the subscription permanent identifier of the second terminal device and the N1 SM message to the session management network element. The subscription permanent identifier of the second terminal device and the N1 SM message may be included in an Nsmf message. In this way, the session management network element may obtain the subscription permanent identifier of the second terminal device from the Nsmf message.
  • In this embodiment of this application, the first terminal device is allowed to send a second key request to the key management network element, where the second key request may include an international mobile subscriber identity (international mobile subscriber identity, IMSI) of the second terminal device. After receiving the second key request, the key management network element may perform an authorization check on the second terminal device based on the IMSI of the second terminal device. After the authorization check on the second terminal device succeeds, the key management network element may obtain the secure communication parameter from the unified data management network element. After obtaining the secure communication parameter, the key management network element may send a second key response to the first terminal device, where the second key response includes the secure communication parameter.
  • Based on the network architecture shown in FIG. 1, the following further describes the method for obtaining an identifier of a terminal device shown in FIG. 2 by using an example in which the key management network element is a PKMF network element, the unified data management network element is a UDM network element, the session management network element is an SMF network element, the access and mobility management network element is an AMF network element, and the proximity service network element is a ProSe network element.
    • (1) The first identifier is a SUCI.
  • FIG. 3A and FIG. 3B show a method for obtaining an identifier of a terminal device according to an embodiment of this application. The method includes the following steps:
    • Step 301. Relay UE initiates a registration procedure to the AMF network element via a RAN, so that UE registers to a 5G system.
    • Step 302. Remote UE initiates a discovery procedure for data exchange with a data network, to discover the relay UE, where in the discovery procedure, the remote UE detects proximity relay UE using radio signals, and identifies the relay UE.
    • Step 303. After discovering the relay UE, the remote UE may send a direct communication request to the relay UE, where the direct communication request requests to establish a communication connection to the relay UE, and the direct communication request includes a SUCI of the remote UE.
    • Step 304. After receiving the direct communication request, the relay UE may send a first key request to the PKMF network element, where the first key request includes the SUCI.
  • A function of the first key request is not limited in this embodiment of this application. The first key request may request the PKMF network element to perform an authorization check on the remote UE, or may request to allocate a security key to the remote UE, or may request a secure communication parameter required for establishing secure communication between the remote UE and the relay UE.
  • It should be noted that the relay UE may directly send the first key request to the PKMF network element, or may send the first key request to the PKMF network element via another network element.
  • Step 305. After receiving the first key request, and determining that the first key request includes the SUCI, the PKMF network element selects the UDM network element based on the SUCI, and sends, to the UDM network element, a first subscriber identity resolution request including the SUCI, to request the UDM network element to resolve the SUCI.
  • Step 306. After receiving the first subscriber identity resolution request, the UDM network element obtains the SUCI in the first subscriber identity resolution request. The UDM network element determines a SUPI of the remote UE based on the SUCI of the remote UE.
  • A manner in which the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE is not limited in this embodiment of this application. For example, the UDM network element capable of decryption can directly decrypt the SUCI of the remote UE to obtain the SUPI of the remote UE. In another example, the UDM network element may invoke another network element (such as a SIDF network element), to obtain the SUPI of the remote UE from the another network element.
  • Optionally, the UDM network element may further store a correspondence between the SUCI and the SUPI of the remote UE. A location for storing the correspondence by the UDM network element is not limited in this embodiment of this application. For example, the UDM network element may locally store the correspondence, or may store the correspondence in another network element (for example, a UDR network element). When the SUCI or the SUPI of the remote UE needs to be subsequently determined, the stored correspondence between the SUCI and the SUPI of the remote UE may be obtained from the another network element.
  • It should be noted that the UDM network element may actively store the correspondence between the SUCI and the SUPI of the remote UE. For example, after determining the SUPI of the remote UE based on the SUCI of the remote UE, the UDM network element directly stores the correspondence, or may first determine, based on an attribute of the remote UE, whether to store the correspondence. The UDM network element may query for subscription information of the remote UE based on the SUPI of the remote UE, and store the correspondence after determining that the remote UE is a commercial subscriber.
  • Alternatively, the UDM network element may store the correspondence between the SUCI and the SUPI of the remote UE under indication of the PKMF network element. The PKMF network element may send, to the UDM network element, a first indication indicating to store the correspondence between the SUCI and the SUPI of the remote UE. After receiving the first indication, the UDM network element may store the correspondence between the SUCI and the SUPI of the remote UE. The first indication message may be separately sent, or may be included in a message (for example, the first subscriber identity resolution request) sent by the PKMF network element to the UDM network element.
  • Step 307. After determining the SUPI of the remote UE, the UDM network element feeds back a first subscriber identity resolution response to the PKMF network element, where the first subscriber identity resolution response includes the SUPI of the remote UE.
  • Optionally, after determining the SUPI of the remote UE, the UDM network element may further determine a GPSI of the remote UE based on the SUPI of the remote UE, and include the GPSI of the remote UE in the first subscriber identity resolution response.
  • Step 308. After receiving the first subscriber identity resolution response, the PKMF network element obtains the SUPI of the remote UE from the first subscriber identity resolution response. The PKMF network element performs the authorization check on the remote UE based on the SUPI of the remote UE, to determine whether the remote UE is authorized to connect to a network for data exchange with a DN via the selected relay UE.
  • The PKMF network element may pre-store a SUPI set including one or more SUPIs. All terminal devices corresponding to the SUPIs in the set can connect to the network via the relay UE. The PKMF network element may determine whether the SUPI of the remote UE belongs to the SUPI set. If the SUPI of the remote UE belongs to the SUPI set, the authorization check performed by the PKMF network element on the remote UE succeeds, and the remote UE can perform data exchange with the 5G system via the relay UE. Otherwise, the authorization check performed by the PKMF network element fails.
  • Optionally, the first subscriber identity resolution response may further include the GPSI of the remote UE.
  • Step 309. After the authorization check performed by the PKMF network element on the remote UE succeeds, the PKMF network element obtains a secure communication parameter from the UDM network element, where the secure communication parameter is the parameter required for establishing secure communication between the relay UE and the remote UE. The secure communication parameter may include key-related information for generating a security key.
  • Optionally, the PKMF network element may alternatively obtain the secure communication parameter via another network element such as a BSF network element.
  • If the authorization check performed by the PKMF network element on the remote UE fails, the PKMF network element may send authorization failure indication information to the relay UE, so that the relay UE terminates or refuses to serve the remote UE. The PKMF network element may further notify the UDM network element to delete the stored correspondence between the SUCI and the SUPI of the remote UE. After receiving the notification, the UDM network element deletes the correspondence if the UDM network element has already stored the correspondence between the SUCI and the SUPI of the remote UE. Otherwise, the UDM network element ignores the notification. Step 310. After obtaining the secure communication parameter, the PKMF network element may send a first key response to the relay UE, where the first key response includes the secure communication parameter.
  • Optionally, the first key response may further include the SUCI of the remote UE. The SUCI of the remote UE included in the first key response is used by the relay UE to provide the information for a core network element such as the SMF network element or the AMF network element.
  • It should be noted that when the first key request requests the PKMF network element to perform the authorization check on the remote UE, the first key response may not include the secure communication parameter. In other words, the PKMF network element does not need to perform step 309. After the authorization check performed on the remote UE succeeds, the PKMF network element directly sends the first key response, to indicate that the authorization check performed on the remote UE succeeds. When the first key request requests to obtain the secure communication parameter, the first key response includes the secure communication parameter including the key-related information. It should be noted that if the first subscriber identity resolution response includes the GPSI of the remote UE, the first key response may not include the SUCI, but may include the GPSI of the remote UE.
  • Step 311. After receiving the first key response, the relay UE establishes secure communication with the remote UE based on the secure communication parameter.
  • Step 312. The relay UE sends a direct communication response to the remote UE in response to the direct communication request.
  • Step 313. The relay UE assigns, to the remote UE, an IP address required for communication.
  • Specifically, the IP address may be an IPv6 prefix or an IPv4 address.
  • Step 314. The relay UE needs to send a UE report message to the SMF network element, where the UE report message includes the SUCI and IP information of the remote UE. If the IP address in step 313 is the IPv6 prefix, the IP information is the IPv6 prefix assigned by the relay UE to the remote UE. If the IP address in step 313 is the IPv4 address, the IP information is a port number range assigned by the relay UE to the remote UE.
  • The SUCI of the remote UE included in the UE report message for the relay UE may be obtained from the first key response, or may be obtained from the direct communication request.
  • Step 315. After receiving the UE report message, and determining that the UE report message includes the SUCI, the SMF network element sends a second subscriber identity resolution request including the SUCI to the UDM network element, to request the UDM network element to resolve the SUCI.
  • Step 316. After receiving the second subscriber identity resolution request, the UDM network element obtains the SUCI in the second subscriber identity resolution request. The UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE.
  • A manner in which the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE is similar to the manner in which the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE in step 306. For details, refer to the foregoing content. Details are not described herein again. It should be noted that, if the UDM network element stores the correspondence between the SUCI and the SUPI of the remote UE, when determining the SUPI of the remote UE based on the SUCI of the remote UE, the UDM network element may directly determine the SUPI of the remote UE based on the correspondence and the SUCI of the remote UE.
  • Optionally, in a case that the UDM network element stores the correspondence between the SUCI and the SUPI of the remote UE, the UDM network element may delete the correspondence after the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE.
  • Step 317. After determining the SUPI of the remote UE, the UDM network element feeds back a second subscriber identity resolution response to the SMF network element, where the second subscriber identity resolution response includes the SUPI of the remote UE.
  • Step 318. After receiving the second subscriber identity resolution response, the SMF network element obtains the SUPI of the remote UE from the second subscriber identity resolution response. Further, the SMF network element may perform service control based on the SUPI and the received IP information, such as lawful interception and traffic statistics. This is not limited herein.
  • It should be noted that, if the first key response in step 310 includes the GPSI of the remote UE, the SUCI of the remote UE in step 314 to step 316 may be replaced with the GPSI of the remote UE.
  • In the embodiment shown in FIG. 3A and FIG. 3B, the PKMF network element first requests to obtain the SUPI of the remote UE from the UDM network element, and then requests the secure communication parameter from the UDM network element or another network element. To further reduce signaling interaction between the PKMF network element and the UDM network element, the PKMF network element may request the secure communication parameter while requesting to obtain the SUPI of the remote UE from the UDM network element. For details, refer to the embodiment shown in FIG. 4A and FIG. 4B. FIG. 4A and FIG. 4B show a method for obtaining an identifier of a terminal device according to an embodiment of this application. The method includes the following steps:
    • Step 401 to step 404 are the same as step 301 to step 304. For details, refer to the foregoing content. Details are not described herein again.
    • Step 405. After receiving the first key request, and determining that the first key request includes the SUCI, the PKMF network element selects the UDM network element based on the SUCI, and sends, to the UDM network element, a secure communication parameter obtaining request including the SUCI, where the secure communication parameter obtaining request requests to obtain a secure communication parameter, and the secure communication parameter obtaining request includes the SUCI and requests the UDM network element to resolve the SUCI.
    • Step 406. After receiving the secure communication parameter obtaining request, the UDM network element determines the secure communication parameter, obtains the SUCI from the secure communication parameter obtaining request, and determines a SUPI of the remote UE based on the SUCI of the remote UE.
  • For a manner in which the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE and stores a correspondence between the SUCI and the SUPI of the remote UE, refer to related descriptions in step 306. Details are not described herein again.
  • Step 407. After determining the SUPI of the remote UE, the UDM network element feeds back a secure communication parameter obtaining response to the PKMF network element, where the secure communication parameter obtaining response includes the SUPI of the remote UE and the secure communication parameter. Optionally, after determining the SUPI of the remote UE, the UDM network element may further determine a GPSI of the remote UE based on the SUPI of the remote UE, and include the GPSI of the remote UE in the secure communication parameter obtaining response.
  • Step 408. After receiving the secure communication parameter obtaining response, the PKMF network element obtains the SUPI of the remote UE from the secure communication parameter obtaining response. The PKMF network element performs the authorization check on the remote UE based on the SUPI of the remote UE, to determine whether the remote UE is authorized to connect to a network for data exchange with a DN via the selected relay UE.
  • Step 409. After obtaining the secure communication parameter, the PKMF network element may send a first key response to the relay UE, where the first key response includes the secure communication parameter.
  • Step 410. After performing the authorization check on the remote UE succeeds, the PKMF network element establishes secure communication with the remote UE based on the secure communication parameter.
  • Step 411 to step 417 are the same as step 312 to step 318. For details, refer to the foregoing content. Details are not described herein again.
  • In the embodiment shown in FIG. 3A and FIG. 3B or FIG. 4A and FIG. 4B, after the authorization check performed by the PKMF network element on the remote UE succeeds, the first key response sent by the PKMF network element to the relay UE includes the SUCI of the remote UE, and the PKMF network element may directly notify the relay UE of the SUPI of the remote UE. For details, refer to the following embodiment.
  • FIG. 5A and FIG. 5B show a method for obtaining an identifier of a terminal device according to an embodiment of this application. The method includes the following steps:
    • Step 501 to step 509 are the same as step 301 to step 309. For details, refer to the foregoing content. Details are not described herein again.
    • Step 510. After obtaining the secure communication parameter, the PKMF network element may send a first key response to the relay UE, where the first key response includes the secure communication parameter.
  • Optionally, the first key response may further include the SUPI of the remote UE.
  • Step 511 to step 513 are the same as step 311 to step 313. For details, refer to the foregoing content. Details are not described herein again.
  • Step 514. The relay UE needs to send a UE report message to the SMF network element, where the UE report message includes the SUPI and IP information of the remote UE. If the IP address in step 513 is an IPv6 prefix, the IP information is the IPv6 prefix assigned by the relay UE to the remote UE. If the IP address in step 513 is an IPv4 address, the IP information is a port number range assigned by the relay UE to the remote UE. The IPv4 address corresponds to the port number range.
  • The SUCI of the remote UE included in the UE report message for the relay UE may be obtained from the first key response, or may be obtained from the direct communication request.
  • Step 515. The SMF network element obtains the SUPI of the remote UE from the UE report message. Further, the SMF network element may perform service control based on the SUPI and the received IP information, such as lawful interception and traffic statistics. This is not limited herein.
  • It should be noted that, in the embodiment shown in FIG. 5A and FIG. 5B, the PKMF network element may directly send a secure parameter obtaining request including the SUCI to the UDM network element. The UDM network element determines the SUPI of the remote UE based on the SUCI, and determines the secure communication parameter. Subsequently, the UDM network element sends a secure parameter obtaining response to the PKMF network element, where the secure parameter obtaining response includes the remote SUPI and the secure communication parameter.
  • In this embodiment, the SMF network element determines the SUPI of the remote UE with no need to interact with the UDM network element, so that signaling interaction can be further reduced.
    • (2) The first identifier is a temporary identifier of the remote UE.
  • FIG. 6A to FIG. 6C show a method for obtaining an identifier of a terminal device according to an embodiment of this application. The method includes the following steps:
    • Step 601. A ProSe network element allocates a temporary identifier to remote UE.
    • Step 602. The ProSe network element sends, to a UDM network element, the temporary identifier allocated to the remote UE.
  • After receiving the temporary identifier of the remote UE, the UDM network element may locally store a correspondence between the temporary identifier and a SUPI of the remote UE.
  • Step 603. The ProSe network element sends the temporary identifier of the remote UE to the remote UE.
  • Step 604. Relay UE initiates a registration procedure to an AMF network element via a RAN, so that UE registers to a 5G system.
  • Step 605. The remote UE initiates a discovery procedure for data exchange with a data network, to discover the relay UE.
  • Step 606. After discovering the relay UE, the remote UE may send a direct communication request to the relay UE, where the direct communication request requests to establish a communication connection to the relay UE, and the direct communication request includes the temporary identifier of the remote UE.
  • Step 607. After receiving the direct communication request, the relay UE may send a first key request to a PKMF network element, where the first key request includes the temporary identifier.
  • The relay UE may directly send the first key request to the PKMF network element, or may send the first key request to the PKMF network element via another network element.
  • For descriptions of the first key request, refer to related descriptions in the embodiment shown in FIG. 3A and FIG. 3B. Details are not described herein again.
  • Step 608. After receiving the first key request, and determining that the first key request includes the temporary identifier, the PKMF network element selects the UDM network element based on the temporary identifier, and sends, to the UDM network element, a first subscriber identity resolution request including the temporary identifier, to request the UDM network element to resolve the temporary identifier.
  • Step 609. After receiving the first subscriber identity resolution request, the UDM network element obtains the temporary identifier in the first subscriber identity resolution request. The UDM network element determines the SUPI of the remote UE based on the temporary identifier of the remote UE.
  • The UDM network element determines the SUPI of the remote UE based on the stored correspondence between the temporary identifier and the SUPI of the remote UE.
  • Step 610. After determining the SUPI of the remote UE, the UDM network element feeds back a first subscriber identity resolution response to the PKMF network element, where the first subscriber identity resolution response includes the SUPI of the remote UE.
  • Step 611 to step 612 are the same as step 308 to step 309. For details, refer to the foregoing content. Details are not described herein again.
  • Step 613. After obtaining the secure communication parameter, the PKMF network element may send a first key response to the relay UE, where the first key response includes the secure communication parameter.
  • Optionally, the first key response may further include the temporary identifier of the remote UE. The temporary identifier of the remote UE included in the key response is used by the relay UE to provide the information for a core network element such as an SMF network element or an AMF network element.
  • Step 614 to step 616 are the same as step 311 to step 313. For details, refer to the foregoing content. Details are not described herein again.
  • Step 617. The relay UE needs to send a UE report message to the SMF network element, where the UE report message includes the temporary identifier and IP information of the remote UE. If the IP address in step 616 is an IPv6 prefix, the IP information is the IPv6 prefix assigned by the relay UE to the remote UE. If the IP address in step 616 is an IPv4 address, the IP information is a port number range assigned by the relay UE to the remote UE.
  • The temporary identifier of the remote UE included in the UE report message for the relay UE may be obtained from the first key response, or may be obtained from the direct communication request.
  • Step 618. After receiving the UE report message, and determining that the UE report message includes the temporary identifier, the SMF network element sends a second subscriber identity resolution request including the temporary identifier to the UDM network element, to request the UDM network element to resolve the temporary identifier. Step 619. After receiving the second subscriber identity resolution request, the UDM network element obtains the temporary identifier in the second subscriber identity resolution request. The UDM network element determines the SUPI of the remote UE based on the temporary identifier of the remote UE.
  • A manner in which the UDM network element determines the SUPI of the remote UE based on the temporary identifier of the remote UE is similar to the manner in which the UDM network element determines the SUPI of the remote UE based on the temporary identifier of the remote UE in step 606. For details, refer to the foregoing content. Details are not described herein again.
  • Step 620. After determining the SUPI of the remote UE, the UDM network element feeds back a second subscriber identity resolution response to the SMF network element, where the second subscriber identity resolution response includes the SUPI of the remote UE.
  • Step 621. After receiving the second subscriber identity resolution response, the SMF network element obtains the SUPI of the remote UE from the second subscriber identity resolution response. Further, the SMF network element may perform service control based on the SUPI and the received IP information, such as lawful interception and traffic statistics. This is not limited herein.
  • It should be noted that, in the embodiment shown in FIG. 6A to FIG. 6C, the PKMF network element may directly send a secure parameter obtaining request including the temporary identifier of the remote UE to the UDM network element. The UDM network element determines the SUPI of the remote UE based on the temporary identifier, and determines the secure communication parameter. Subsequently, the UDM network element sends a secure parameter obtaining response to the PKMF network element, where the secure parameter obtaining response includes the remote SUPI and the secure communication parameter.
  • In the embodiment shown in FIG. 6A to FIG. 6C, the SMF network element needs to interact with the UDM network element to obtain the SUPI of the remote UE. In a possible implementation, the AMF network element may also interact with the UDM network element to obtain the SUPI of the remote UE. The remote UE may send an N1 message to the AMF network element. The N1 message includes the temporary identifier of the remote UE and an N1 SM message, and the NI SM message includes the IP information. After receiving the temporary identifier of the remote UE, the AMF network element may initiate an identifier resolution procedure, and send, to the UDM network element, an identifier resolution request including the temporary identifier of the remote UE. After receiving the identifier resolution request, the UDM network element may determine the SUPI of the remote UE based on the temporary identifier of the remote UE. Subsequently, the UDM network element sends an identifier resolution response including the SUPI of the remote UE to the AMF network element. The AMF network element sends an Nsmf message to the SMF network element, where the Nsmf message includes the SUPI of the remote UE and the N1 SM message. The SMF network element may obtain the SUPI of the remote UE from the Nsmf message.
  • In the embodiment shown in FIG. 6A to FIG. 6C, after an authorization check performed by the PKMF network element on the remote UE succeeds, the first key response sent by the PKMF network element to the relay UE includes the temporary identifier of the remote UE. Alternatively, the PKMF network element may directly notify the relay UE of the SUPI of the remote UE. For details, refer to the following embodiment.
  • FIG. 7A and FIG. 7B show a method for obtaining an identifier of a terminal device according to an embodiment of this application. The method includes the following steps:
    • Step 701 to step 712 are the same as step 601 to step 612. For details, refer to the foregoing content. Details are not described herein again.
    • Step 713 to step 718 are the same as step 510 to step 515. For details, refer to the foregoing content. Details are not described herein again.
  • It should be noted that, in the embodiment shown in FIG. 7A and FIG. 7B, the PKMF network element may directly send a secure parameter obtaining request including the temporary identifier of the remote UE to the UDM network element. The UDM network element determines the SUPI of the remote UE based on the temporary identifier, and determines the secure communication parameter. Subsequently, the UDM network element sends a secure parameter obtaining response to the PKMF network element, where the secure parameter obtaining response includes the remote SUPI and the secure communication parameter. In other words, the PKMF network element may request the secure communication parameter while requesting to obtain the SUPI of the remote UE from the UDM network element, so that signaling interaction can be reduced.
  • In a possible implementation, in this embodiment of this application, the relay UE may first obtain the secure communication parameter, establish secure communication with the remote UE, and then request, via the SMF network element or the AMF network element, the UDM network element to resolve the SUCI.
  • Refer to FIG. 8A and FIG. 8B. An example in which relay UE requests, via the AMF network element, the UDM network element to resolve the SUCI is used for description. The method includes the following steps:
    • Step 801 to step 803 are the same as step 301 to step 303. For details, refer to the foregoing content. Details are not described herein again.
    • Step 804. After receiving the direct communication request, the relay UE may obtain a secure communication parameter from the PKMF network element.
  • Specifically, the direct communication request includes a key identifier. The key identifier is an identifier of a security key used for encryption and/or integrity protecting data exchanged between the remote UE and the relay UE. The relay UE may obtain a corresponding secure communication parameter from the PKMF network element based on the key identifier.
  • Step 805. The relay UE establishes secure communication with the remote UE based on the secure communication parameter.
  • Step 806. The relay UE sends a direct communication response to the remote UE in response to the direct communication request.
  • Step 807. The relay UE assigns, to the remote UE, an IP address required for communication.
  • Specifically, the IP address may be an IPv6 prefix or an IPv4 address.
  • Step 808. The relay UE needs to send an N1 message to the AMF network element, where the NI message includes the SUCI of the remote UE and an N1 SM message, and the NI SM message includes IP information.
  • If the IP address in step 807 is the IPv6 prefix, the IP information is the IPv6 prefix assigned by the relay UE to the remote UE. If the IP address in step 808 is the IPv4 address, the IP information is a port number range assigned by the relay UE to the remote UE.
  • Step 809. After receiving a UE report message, and determining that the UE report message includes the SUCI, the AMF network element sends an identifier resolution request including the SUCI to the UDM network element, to request the UDM network element to resolve the SUCI.
  • Step 810. After receiving the identifier resolution request, the UDM network element obtains the SUCI in the identifier resolution request. The UDM network element determines a SUPI of the remote UE based on the SUCI of the remote UE.
  • A manner in which the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE is similar to the manner in which the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE in step 306. For details, refer to the foregoing content. Details are not described herein again. Step 811. After determining the SUPI of the remote UE, the UDM network element feeds back an identifier resolution response to the AMF network element, where the identifier resolution response includes the SUPI of the remote UE. Step 812. After receiving the identifier resolution response, the AMF network element obtains the SUPI of the remote UE from the identifier resolution response. The AMF network element sends an Nsmf message to the SMF network element, where the Nsmf message includes the SUPI of the remote UE and the N1 SM message.
  • Step 813. The SMF network element may perform service control based on the SUPI and the received IP information, such as lawful interception and traffic statistics. This is not limited herein.
  • It should be noted that the relay UE may alternatively request, via the SMF network element, the UDM network element to resolve the SUCI. Specifically, the relay UE may send the UE report message to the SMF network element via the AMF network element. After receiving the UE report message, the SMF network element may request the UDM network element to resolve the SUCI. For a specific process, refer to related descriptions of step 315 to step 318 in the embodiment shown in FIG. 3B.
  • Based on a same inventive concept as the method embodiments, an embodiment of this application further provides a communication apparatus, configured to perform the method performed by the key management network element or the PKMF network element in the foregoing method embodiments. For related features, refer to the foregoing method embodiments. Details are not described herein again. As shown in FIG. 9, the apparatus includes a receiving unit 901, a processing unit 902, and a sending unit 903.
  • The receiving unit 901 is configured to receive a first key request from a first terminal device, where the first key request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device.
  • The processing unit 902 is configured to determine that the first key request includes the first identifier.
  • The sending unit 903 is configured to: after the processing unit 902 determines that the first key request includes the first identifier, send a first request to a unified data management network element, where the first request includes the first identifier.
  • The receiving unit 901 is further configured to receive a first response from the unified data management network element, where the first response includes a subscription permanent identifier SUPI of the second terminal device. The processing unit 902 is further configured to perform an authorization check on the second terminal device based on the SUPI of the second terminal device.
  • The sending unit 903 is further configured to: after the authorization check performed by the processing unit 902 on the second terminal device succeeds, send a first key response to the first terminal device, where the first key response includes a secure communication parameter, and the secure communication parameter is a parameter required for establishing secure communication between the first terminal device and the second terminal device.
  • In a possible implementation, the first response and the first key response further include a GPSI of the second terminal device or the first identifier.
  • In a possible implementation, the first request is a secure communication parameter obtaining request, and the first response is a secure communication parameter obtaining response.
  • In a possible implementation, after the authorization check performed by the processing unit 902 on the second terminal device based on the second identifier fails, the sending unit 903 may notify the unified data management network element to delete a correspondence between the first identifier and the SUPI of the second terminal device. In a possible implementation, the sending unit 903 may further send a first indication to the unified data management network element, where the first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device.
  • Based on a same inventive concept as the method embodiments, an embodiment of this application further provides a communication apparatus, configured to perform the method performed by the unified data management network element or the UDM network element in the foregoing method embodiments. For related features, refer to the foregoing method embodiments. Details are not described herein again. As shown in FIG. 10, the apparatus includes a receiving unit 1001, a processing unit 1002, and a sending unit 1003.
  • The receiving unit 1001 is configured to receive a first request from a key management network element, where the first request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device.
  • The processing unit 1002 is configured to determine that the first request includes the first identifier; and after determining that the first request includes the first identifier, obtain a SUPI of the second terminal device based on the first identifier.
  • The sending unit 1003 is configured to send a first response to the key management network element, where the first response includes the SUPI of the second terminal device.
  • In a possible implementation, when determining the SUPI of the second terminal device based on the anonymous identifier of the second terminal device, the processing unit 1002 may obtain the SUPI of the second terminal device from a subscription identifier de-concealing network element based on the anonymous identifier of the second terminal device.
  • In a possible implementation, when determining the SUPI of the second terminal device based on the temporary identifier of the second terminal device, the processing unit 1002 may determine the SUPI of the second terminal device based on a stored correspondence between a SUPI and a temporary identifier of a terminal device and based on the temporary identifier of the second terminal device.
  • In a possible implementation, the processing unit 1002 may further allocate a temporary identifier to the second terminal device, and store a correspondence between the SUPI and the temporary identifier of the second terminal device. Subsequently, the sending unit 1003 may send the temporary identifier to the second terminal device via a proximity service network element.
  • In a possible implementation, the processing unit 1002 may further obtain, from the proximity service network element, a temporary identifier allocated by the proximity service network element to the second terminal device, and store a correspondence between the SUPI and the temporary identifier of the second terminal device.
  • In a possible implementation, after obtaining the SUPI of the second terminal device based on the first identifier, the processing unit 1002 may store a correspondence between the first identifier and the SUPI of the second terminal device.
  • In a possible implementation, before the processing unit 1002 stores the correspondence between the first identifier and the SUPI of the second terminal device, the receiving unit 1001 may receive a first indication from the key management network element. The first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device.
  • In a possible implementation, before storing the correspondence between the first identifier and the SUPI of the second terminal device, the processing unit 1002 may further determine, based on an attribute of the second terminal device, that the correspondence between the first identifier and the SUPI of the second terminal device needs to be stored. In a possible implementation, the processing unit 1002 may delete, as notified by the key management network element, the correspondence between the first identifier and the SUPI of the second terminal device.
  • In a possible implementation, the processing unit 1002 may determine a GPSI of the second terminal device based on the SUPI of the second terminal device, and then include the GPSI of the second terminal device in the first response. In a possible implementation, the receiving unit 1001 may further receive a subscriber identity resolution request from a session management network element. The subscriber identity resolution request includes a second identifier, and the second identifier is one of the following: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device. Subsequently, the processing unit 1002 determines the SUPI of the second terminal device based on the second identifier. Then, the sending unit 1003 sends a subscriber identity resolution response to the session management network element, where the subscriber identity resolution response includes the SUPI of the second terminal device.
  • In a possible implementation, the receiving unit 1001 may further receive an identifier resolution request from an access and mobility management network element. The identifier resolution request includes a second identifier, and the second identifier is one of the following: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device. Subsequently, the processing unit 1002 may determine the SUPI of the second terminal device based on the second identifier. Then, the sending unit 1003 sends an identifier resolution response to the access and mobility management network element, where the identifier resolution response includes the SUPI of the second terminal device.
  • In a possible implementation, the first request is a secure communication parameter obtaining request, and the first response is a secure communication parameter obtaining response.
  • In a possible implementation, the first response may include the first identifier.
  • Based on a same inventive concept as the method embodiments, an embodiment of this application further provides a communication apparatus, configured to perform the method performed by the session management network element or the SMF network element in the foregoing method embodiments. For related features, refer to the foregoing method embodiments. Details are not described herein again. As shown in FIG. 11, the apparatus includes a receiving unit 1101, a processing unit 1102, and a sending unit 1103.
  • The receiving unit 1101 is configured to receive a UE report message from a first terminal device, where the UE report message includes a second identifier and IP information allocated by the first terminal device to a second terminal device. The second identifier is one of the following: an anonymous identifier of the second terminal device, a temporary identifier of the second terminal device, or a GPSI of the second terminal device.
  • The processing unit 1102 is configured to determine that the UE report message includes the second identifier.
  • The sending unit 1103 is configured to: after the processing unit 1102 determines that the UE report message includes the second identifier, send a subscriber identity resolution request to a unified data management network element, where the subscriber identity resolution request includes the second identifier.
  • The receiving unit 1101 is further configured to receive a subscriber identity resolution response from the unified data management network element, where the subscriber identity resolution response includes a SUPI of the second terminal device.
  • The processing unit 1102 further performs service control on the second terminal device based on the SUPI and the IP information of the second terminal device.
  • Based on a same inventive concept as the method embodiments, an embodiment of this application further provides a communication apparatus, configured to perform the method performed by the access and mobility management network element or the AMF network element in the foregoing method embodiments. For related features, refer to the foregoing method embodiments. Details are not described herein again. As shown in FIG. 12, the apparatus includes a receiving unit 1201, a processing unit 1202, and a sending unit 1203.
  • The receiving unit 1201 is configured to receive a UE report message from a first terminal device, where the UE report message includes a second identifier and IP information allocated by the first terminal device to a second terminal device. The second identifier is one of the following: an anonymous identifier of the second terminal device, a temporary identifier of the second terminal device, or a GPSI of the second terminal device.
  • The processing unit 1202 is configured to determine that the UE report message includes the second identifier.
  • The sending unit 1203 is configured to: after the processing unit 1202 determines that the UE report message includes the second identifier, send an identifier resolution request to a unified data management network element, where the identifier resolution request includes a subscription permanent identifier SUPI of the second terminal device.
  • The receiving unit 1201 is further configured to receive an identifier resolution response from the unified data management network element, where the identifier resolution response includes the SUPI of the second terminal device.
  • The sending unit 1203 is further configured to send the SUPI and the IP information of the second terminal device to a session management network element.
  • Based on a same inventive concept as the method embodiments, an embodiment of this application further provides a communication apparatus, configured to perform the method performed by the first terminal device or the relay UE in the foregoing method embodiments. For related features, refer to the foregoing method embodiments. Details are not described herein again. As shown in FIG. 13, the apparatus includes a receiving unit 1301, a processing unit 1302, and a sending unit 1303.
  • The processing unit 1302 is configured to determine that direct communication needs to be established with a second terminal device.
  • The sending unit 1303 is configured to: after the processing unit 1302 determines that direct communication needs to be established with the second terminal device, send a first key request to a key management network element. The first key request includes a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of the second terminal device.
  • The receiving unit 1301 is configured to receive a first key response from the key management network element, where the first key response includes a secure communication parameter.
  • The processing unit 1302 is further configured to establish secure communication with the second terminal device based on the secure communication parameter.
  • In a possible implementation, the first key response further includes a GPSI of the second terminal device or the first identifier.
  • In embodiments of this application, division into the units is an example and is merely logical function division, and may be other division during actual implementation. In addition, functional units in embodiments of this application may be integrated into one processor, may exist alone physically, or two or more units may be integrated into one module. The foregoing integrated unit may be implemented in a form of hardware, or may be implemented in a form of a software functional module.
  • When the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, the integrated unit may be stored in a computer-readable storage medium. Based on such an understanding, the technical solutions of this application essentially, or the part contributing to the current technology, or all or some of the technical solutions may be implemented in a form of a software product. The computer software product is stored in a storage medium and includes several instructions for instructing a terminal device (which may be a personal computer, a mobile phone, a network device, or the like) or a processor (processor) to perform all or some of the steps of the methods in embodiments of this application. The storage medium includes any medium that can store program code, such as a USB flash drive, a removable hard disk, a read-only memory (read-only memory, ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disc.
  • In embodiments of this application, the key management network element, the unified data management network element, the session management network element, the access and mobility management network element, and the first terminal device each may be presented by integrating function modules. The "module" herein may be an ASIC, a circuit, a processor that executes one or more software or firmware programs, a memory, an integrated logic circuit, and/or another component capable of providing the foregoing functions.
  • In a simple embodiment, a person skilled in the art may figure out that the key management network element, the unified data management network element, the session management network element, and the access and mobility management network element each may be in a form shown in FIG. 14.
  • A communication apparatus 1400 shown in FIG. 14 includes at least one processor 1401 and a memory 1402, and optionally, may further include a communication interface 1403.
  • The memory 1402 may be a volatile memory, for example, a random access memory; or the memory may be a nonvolatile memory, for example, a read-only memory, a flash memory, a hard disk drive (hard disk drive, HDD), or a solid-state drive (solid-state drive, SSD); or the memory 1402 is any other medium that can be used to carry or store expected program code in a form of an instruction or a data structure and that can be accessed by a computer, but is not limited thereto. The memory 1402 may be a combination of the foregoing memories.
  • In embodiments of this application, a specific connection medium between the processor 1401 and the memory 1402 is not limited. In embodiments of this application, in the figure, the memory 1402 and the processor 1401 are connected through a bus 1404. The bus 1404 is represented by a bold line in the figure. A connection manner between other components is described merely as an example and does not constitute any limitation. The bus 1404 may be classified as an address bus, a data bus, a control bus, or the like. For ease of representation, only one thick line is used to represent the bus in FIG. 14, but this does not mean that there is only one bus or only one type of bus.
  • The processor 1401 may have a data transceiver function, and can communicate with another device. In the apparatus in FIG. 14, an independent data transceiver module, for example, the communication interface 1403, may be disposed for data sending and receiving. When communicating with another device, the processor 1401 may perform data transmission through the communication interface 1403.
  • When the key management network element is in the form shown in FIG. 14, the processor 1401 in FIG. 14 may invoke computer executable instructions stored in the memory 1402, so that the key management network element can perform the method performed by the key management network element or the PKMF network element in any one of the foregoing method embodiments.
  • Specifically, functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 9 may be implemented by the processor 1401 in FIG. 14 by invoking the computer-executable instructions stored in the memory 1402. Alternatively, functions/implementation processes of the processing unit in FIG. 9 may be implemented by the processor 1401 in FIG. 14 by invoking the computer-executable instructions stored in the memory 1402, and functions/implementation processes of the sending unit and the receiving unit in FIG. 9 may be implemented by the communication interface 1403 in FIG. 14.
  • When the unified data management network element is in the form shown in FIG. 14, the processor 1401 in FIG. 14 may invoke computer executable instructions stored in the memory 1402, so that the unified data management network element can perform the method performed by the unified data management network element or the UDM network element in any one of the foregoing method embodiments.
  • Specifically, functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 10 may be implemented by the processor 1401 in FIG. 14 by invoking the computer-executable instructions stored in the memory 1402. Alternatively, functions/implementation processes of the processing unit in FIG. 10 may be implemented by the processor 1401 in FIG. 14 by invoking the computer-executable instructions stored in the memory 1402, and functions/implementation processes of the sending unit and the receiving unit in FIG. 10 may be implemented by the communication interface 1403 in FIG. 14.
  • When the session management network element is in the form shown in FIG. 14, the processor 1401 in FIG. 14 may invoke computer executable instructions stored in the memory 1402, so that the session management network element can perform the method performed by the session management network element or the SMF network element in any one of the foregoing method embodiments.
  • Specifically, functions/implementation processes of the receiving unit, the sending unit, and the processing unit in FIG. 11 may be implemented by the processor 1401 in FIG. 14 by invoking the computer executable instructions stored in the memory 1402. Alternatively, functions/implementation processes of the processing unit in FIG. 11 may be implemented by the processor 1401 in FIG. 14 by invoking the computer executable instructions stored in the memory 1402, and functions/implementation processes of the receiving unit and the sending unit in FIG. 11 may be implemented by the communication interface 1403 in FIG. 14.
  • When the access and mobility management network element is in the form shown in FIG. 14, the processor 1401 in FIG. 14 may invoke computer executable instructions stored in the memory 1402, so that the access and mobility management network element can perform the method performed by the access and mobility management network element or the AMF network element in any one of the foregoing method embodiments.
  • Specifically, functions/implementation processes of the receiving unit, the sending unit, and the processing unit in FIG. 12 may be implemented by the processor 1401 in FIG. 14 by invoking the computer executable instructions stored in the memory 1402. Alternatively, functions/implementation processes of the processing unit in FIG. 12 may be implemented by the processor 1401 in FIG. 14 by invoking the computer executable instructions stored in the memory 1402, and functions/implementation processes of the receiving unit and the sending unit in FIG. 12 may be implemented by the communication interface 1403 in FIG. 14.
  • In a simple embodiment, a person skilled in the art may figure out that the key management network element, the unified data management network element, the session management network element, and the access and mobility management network element each may be in a form shown in FIG. 15.
  • A communication apparatus 1500 shown in FIG. 15 includes at least one processor 1501 and a memory 1502, and optionally, may further include a transceiver 1503.
  • The processor 1501 and the memory 1502 are similar to the processor 1401 and the memory 1402. For details, refer to the foregoing content. Details are not described herein again.
  • In embodiments of this application, a specific connection medium between the processor 1501 and the memory 1502 is not limited. In embodiments of this application, in the figure, the memory 1502 and the processor 1501 are connected through a bus 1504. The bus 1504 is represented by a bold line in the figure. A connection manner between other components is described merely as an example and does not constitute any limitation. The bus 1504 may be classified as an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used to represent the bus in FIG. 15, but this does not mean that there is only one bus or only one type of bus.
  • The processor 1501 may have a data transceiver function, and can communicate with another device. In the apparatus in FIG. 15, an independent data transceiver module, for example, the transceiver 1503, may be disposed for data sending and receiving. When communicating with another device, the processor 1501 may perform data transmission by using the transceiver 1503.
  • When the first terminal device is in the form shown in FIG. 15, the processor 1501 in FIG. 15 may invoke computer executable instructions stored in the memory 1502, so that the first terminal device can perform the method performed by the first terminal device or the relay UE in any one of the foregoing method embodiments.
  • Specifically, functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 13 may be implemented by the processor 1501 in FIG. 15 by invoking the computer-executable instructions stored in the memory 1502. Alternatively, functions/implementation processes of the processing unit in FIG. 13 may be implemented by the processor 1501 in FIG. 15 by invoking the computer-executable instructions stored in the memory 1502, and functions/implementation processes of the sending unit and the receiving unit in FIG. 13 may be implemented by the transceiver 1503 in FIG. 15.
  • A person skilled in the art should understand that embodiments of this application may be provided as a method, a system, or a computer program product. Therefore, this application may use a form of a hardware-only embodiment, a software-only embodiment, or an embodiment with a combination of software and hardware. Moreover, this application may use a form of a computer program product that is implemented on one or more computer-usable storage media (including but not limited to a disk memory, a CD-ROM, an optical memory, and the like) that include computer usable program code.
  • This application is described with reference to the flowcharts and/or block diagrams of the method, the device (system), and the computer program product according to embodiments of this application. It should be understood that computer program instructions may be used to implement each process and/or each block in the flowcharts and/or the block diagrams and a combination of a process and/or a block in the flowcharts and/or the block diagrams. These computer program instructions may be provided for a general-purpose computer, a dedicated computer, an embedded processor, or a processor of another programmable data processing device to generate a machine, so that the instructions executed by a computer or the processor of the another programmable data processing device generate an apparatus for implementing a specific function in one or more processes in the flowcharts and/or in one or more blocks in the block diagrams.
  • These computer program instructions may alternatively be stored in a computer-readable memory that can indicate a computer or another programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory generate an artifact that includes an instruction apparatus. The instruction apparatus implements a specific function in one or more processes in the flowcharts and/or in one or more blocks in the block diagrams.
  • These computer program instructions may alternatively be loaded onto a computer or another programmable data processing device, so that a series of operations and steps are performed on the computer or the another programmable device, to generate computer-implemented processing. Therefore, the instructions executed on the computer or the another programmable device provide steps for implementing a specified function in one or more processes in the flowcharts and/or in one or more blocks in the block diagrams.
  • Clearly, a person skilled in the art can make various modifications and variations to embodiments of this application without departing from the scope of embodiments of this application. In this way, this application is intended to cover these modifications and variations in embodiments of this application provided that they fall within the scope of protection defined by the following claims of this application and their equivalent technologies.

Claims (46)

  1. A communication system, wherein the communication system comprises a key management network element and a unified data management network element;
    the key management network element is configured to receive a first key request from a first terminal device, wherein the first key request comprises a first identifier; and after determining that the first key request comprises the first identifier, send a first request to the unified data management network element, wherein the first request comprises the first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device;
    the unified data management network element is configured to receive the first request; after determining that the first request comprises the first identifier, determine a subscription permanent identifier SUPI of the second terminal device based on the first identifier; and send a first response to the key management network element, wherein the first response comprises the SUPI of the second terminal device; and
    the key management network element is further configured to receive the first response; perform an authorization check on the second terminal device based on the SUPI of the second terminal device; and after the authorization check on the second terminal device succeeds, send a first key response to the first terminal device, wherein the first key response comprises a secure communication parameter.
  2. The system according to claim 1, wherein the first response and the first key response further comprise a generic public subscription identifier GPSI of the second terminal device, and the unified data management network element is further configured to:
    determine the GPSI of the second terminal device based on the SUPI of the second terminal device.
  3. The system according to claim 1, wherein the first response and the first key response further comprise the first identifier, and the unified data management network element is further configured to:
    store a correspondence between the first identifier and the SUPI of the second terminal device.
  4. The system according to claim 3, wherein
    before storing the correspondence between the first identifier and the SUPI of the second terminal device, the unified data management network element is further configured to:
    receive a first indication from the key management network element, wherein the first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device; and
    the key management network element is further configured to:
    send the first indication to the unified data management network element.
  5. The system according to claim 3 or 4, wherein
    the key management network element is further configured to: after the authorization check performed on the second terminal device fails, notify the unified data management network element to delete the correspondence between the first identifier and the SUPI of the second terminal device; and
    the unified data management network element is further configured to: delete, as notified by the key management network element, the correspondence between the first identifier and the SUPI of the second terminal device.
  6. The system according to any one of claims 1 to 5, wherein the unified data management network element determines the SUPI of the second terminal device based on the anonymous identifier of the second terminal device and is specifically configured to:
    obtain the SUPI of the second terminal device from a subscription identifier de-concealing network element based on the anonymous identifier of the second terminal device.
  7. The system according to any one of claims 1 to 5, wherein the unified data management network element determines the SUPI of the second terminal device based on the temporary identifier of the second terminal device and is specifically configured to:
    determine the SUPI of the second terminal device based on a stored correspondence between a SUPI and a temporary identifier of a terminal device and based on the temporary identifier of the second terminal device.
  8. The system according to claim 7, wherein before determining the SUPI of the second terminal device based on the temporary identifier of the second terminal device, the unified data management network element is further configured to:
    allocate a temporary identifier to the second terminal device, send the temporary identifier to the second terminal device via a proximity service network element, and store a correspondence between the SUPI and the temporary identifier of the second terminal device; or
    obtain, from a proximity service network element, a temporary identifier allocated by the proximity service network element to the second terminal device, and store a correspondence between the SUPI and the temporary identifier of the second terminal device.
  9. The system according to any one of claims 1 to 8, wherein the system further comprises a session management network element;
    the session management network element is configured to receive a UE report message from the first terminal device, wherein the UE report message comprises a second identifier and IP information allocated by the first terminal device to the second terminal device, and the second identifier is one of the following: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device; and after determining that the UE report message comprises the second identifier, send a subscriber identity resolution request to the unified data management network element, wherein the subscriber identity resolution request comprises the second identifier;
    the unified data management network element is configured to receive the subscriber identity resolution request, determine the SUPI of the second terminal device based on the second identifier, and send a subscriber identity resolution response to the session management network element, wherein the subscriber identity resolution response comprises the SUPI of the second terminal device; and
    the session management network element is further configured to receive the subscriber identity resolution response, and perform service control on the second terminal device based on the SUPI of the second terminal device and the IP information.
  10. The system according to any one of claims 1 to 9, wherein the system further comprises an access and mobility management network element;
    the access and mobility management network element is configured to receive the UE report message from the first terminal device, wherein the UE report message comprises the second identifier and the IP information allocated by the first terminal device to the second terminal device, and the second identifier is one of the following: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device; and send an identifier resolution request to the unified data management network element, wherein the identifier resolution request comprises the second identifier;
    the unified data management network element is further configured to receive the identifier resolution request, determine the SUPI of the second terminal device based on the second identifier, and send an identifier resolution response to the access and mobility management network element, wherein the identifier resolution response comprises the SUPI of the second terminal device; and
    the access and mobility management network element is further configured to receive the identifier resolution response, and send the SUPI of the second terminal device and the IP information to the session management network element.
  11. The system according to any one of claims 1 to 10, wherein the system further comprises the first terminal device, and
    the first terminal device is configured to send the first key request to the key management network element, receive the first key response from the key management network element, and after establishing secure communication with the second terminal device based on the secure communication parameter, send the UE report message to the session management network element via the access and mobility management network element.
  12. The system according to any one of claims 1 to 11, wherein the system further comprises the proximity service network element; and
    the proximity service network element is configured to allocate a temporary identifier to the second terminal device, and send the temporary identifier to the unified data management network element and the second terminal device.
  13. The system according to any one of claims 1 to 12, wherein
    the key management network element is further configured to receive a second key request from the first terminal device, wherein the second key request requests the secure communication parameter from the key management network element, and the second key request comprises an international mobile subscriber identity IMSI of the second terminal device; perform an authorization check on the second terminal device based on the IMSI of the second terminal device; and after the authorization check on the second terminal device succeeds, send a second key response to the first terminal device, wherein the second key response comprises the secure communication parameter.
  14. The system according to any one of claims 1 to 13, wherein the first request is a secure communication parameter obtaining request, and the first response is a secure communication parameter obtaining response.
  15. A method for obtaining an identifier of a terminal device, comprising:
    receiving, by a key management network element, a first key request from a first terminal device, wherein the first key request comprises a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device;
    after determining that the first key request comprises the first identifier, sending, by the key management network element, a first request to a unified data management network element, wherein the first request comprises the first identifier;
    receiving, by the key management network element, a first response from the unified data management network element, wherein the first response comprises a subscription permanent identifier SUPI of the second terminal device; and
    performing, by the key management network element, an authorization check on the second terminal device based on the SUPI of the second terminal device, and after the authorization check on the second terminal device succeeds, sending a first key response to the first terminal device, wherein the first key response comprises a secure communication parameter.
  16. The method according to claim 15, wherein the first response and the first key response further comprise a generic public subscription identifier GPSI of the second terminal device or the first identifier.
  17. The method according to claim 15 or 16, wherein the first request is a secure communication parameter obtaining request, and the first response is a secure communication parameter obtaining response.
  18. The method according to any one of claims 15 to 17, wherein the method further comprises:
    after the authorization check performed by the key management network element on the second terminal device based on the second identifier fails, notifying, by the key management network element, the unified data management network element to delete a correspondence between the first identifier and the SUPI of the second terminal device.
  19. The method according to any one of claims 15 to 18, wherein the method further comprises:
    sending, by the key management network element, a first indication to the unified data management network element, wherein the first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device.
  20. A method for obtaining an identifier of a terminal device, comprising:
    receiving, by a unified data management network element, a first request from a key management network element, wherein the first request comprises a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of a second terminal device;
    after determining that the first request comprises the first identifier, obtaining, by the unified data management network element, a subscription permanent identifier SUPI of the second terminal device based on the first identifier; and
    sending, by the unified data management network element, a first response to the key management network element, wherein the first response comprises the SUPI of the second terminal device.
  21. The method according to claim 20, wherein the determining, by the unified data management network element, the SUPI of the second terminal device based on the anonymous identifier of the second terminal device comprises:
    obtaining, by the unified data management network element, the SUPI of the second terminal device from a subscription identifier de-concealing network element based on the anonymous identifier of the second terminal device.
  22. The method according to claim 20, wherein the determining, by the unified data management network element, the SUPI of the second terminal device based on the temporary identifier of the second terminal device comprises:
    determining, by the unified data management network element, the SUPI of the second terminal device based on a stored correspondence between a SUPI and a temporary identifier of a terminal device and based on the temporary identifier of the second terminal device.
  23. The method according to claim 22, wherein before the determining, by the unified data management network element, the SUPI of the second terminal device based on the temporary identifier of the second terminal device, the method further comprises:
    allocating, by the unified data management network element, a temporary identifier to the second terminal device, sending the temporary identifier to the second terminal device via a proximity service network element, and storing a correspondence between the SUPI and the temporary identifier of the second terminal device; or
    obtaining, by the unified data management network element from a proximity service network element, a temporary identifier allocated by the proximity service network element to the second terminal device, and storing a correspondence between the SUPI and the temporary identifier of the second terminal device.
  24. The method according to any one of claims 20 to 23, wherein after the obtaining, by the unified data management network element, the SUPI of the second terminal device based on the first identifier, the method further comprises:
    storing, by the unified data management network element, a correspondence between the first identifier and the SUPI of the second terminal device.
  25. The method according to claim 24, wherein before the storing, by the unified data management network element, a correspondence between the first identifier and the SUPI of the second terminal device, the method further comprises:
    receiving, by the unified data management network element, a first indication from the key management network element, wherein the first indication indicates to store the correspondence between the first identifier and the SUPI of the second terminal device.
  26. The method according to claim 25, wherein before the storing, by the unified data management network element, a correspondence between the first identifier and the SUPI of the second terminal device, the method further comprises:
    determining, by the unified data management network element based on an attribute of the second terminal device, that the correspondence between the first identifier and the SUPI of the second terminal device needs to be stored.
  27. The method according to any one of claims 24 to 26, wherein the method further comprises:
    deleting, by the unified data management network element as notified by the key management network element, the correspondence between the first identifier and the SUPI of the second terminal device.
  28. The method according to any one of claims 20 to 27, wherein the first response further comprises a generic public subscription identifier GPSI of the second terminal device, and the method further comprises:
    determining, by the unified data management network element, the GPSI of the second terminal device based on the SUPI of the second terminal device.
  29. The method according to any one of claims 20 to 28, wherein the first response further comprises the first identifier.
  30. The method according to any one of claims 20 to 29, wherein the method further comprises:
    receiving, by the unified data management network element, a subscriber identity resolution request from a session management network element, wherein the subscriber identity resolution request comprises a second identifier, and the second identifier is one of the following: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device;
    determining, by the unified data management network element, the SUPI of the second terminal device based on the second identifier; and
    sending, by the unified data management network element, a subscriber identity resolution response to the session management network element, wherein the subscriber identity resolution response comprises the SUPI of the second terminal device.
  31. The method according to any one of claims 20 to 29, wherein the method further comprises:
    receiving, by the unified data management network element, an identifier resolution request from an access and mobility management network element, wherein the identifier resolution request comprises the second identifier, and the second identifier is one of the following: the anonymous identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device;
    determining, by the unified data management network element, the SUPI of the second terminal device based on the second identifier; and
    sending, by the unified data management network element, an identifier resolution response to the access and mobility management network element, wherein the identifier resolution response comprises the SUPI of the second terminal device.
  32. The method according to any one of claims 20 to 31, wherein the first request is a secure communication parameter obtaining request, and the first response is a secure communication parameter obtaining response.
  33. A method for obtaining an identifier of a terminal device, comprising:
    receiving, by a session management network element, a UE report message from a first terminal device, wherein the UE report message comprises a second identifier and IP information allocated by the first terminal device to a second terminal device, and the second identifier is one of the following: an anonymous identifier of the second terminal device, a temporary identifier of the second terminal device, or a generic public subscription identifier GPSI of the second terminal device;
    after determining that the UE report message comprises the second identifier, sending, by the session management network element, a subscriber identity resolution request to a unified data management network element, wherein the subscriber identity resolution request comprises the second identifier; and
    receiving, by the session management network element, a subscriber identity resolution response from the unified data management network element, wherein the subscriber identity resolution response comprises a subscription permanent identifier SUPI of the second terminal device; and performing service control on the second terminal device based on the SUPI of the second terminal device and the IP information.
  34. A method for obtaining an identifier of a terminal device, comprising:
    receiving, by an access and mobility management network element, a UE report message from a first terminal device, wherein the UE report message comprises a second identifier and IP information allocated by the first terminal device to a second terminal device, and the second identifier is one of the following: an anonymous identifier of the second terminal device, a temporary identifier of the second terminal device, or a generic public subscription identifier GPSI of the second terminal device;
    after determining that the UE report message comprises the second identifier, sending, by the access and mobility management network element, an identifier resolution request to a unified data management network element, wherein the identifier resolution request comprises a subscription permanent identifier SUPI of the second terminal device;
    receiving, by the access and mobility management network element, an identifier resolution response from the unified data management network element, wherein the identifier resolution request comprises the SUPI of the second terminal device; and
    sending, by the access and mobility management network element, the SUPI of the second terminal device and the IP information to a session management network element.
  35. A method for obtaining an identifier of a terminal device, comprising:
    after determining that direct communication needs to be established with a second terminal device, sending, by a first terminal device, a first key request to a key management network element, wherein the first key request comprises a first identifier, and the first identifier is an anonymous identifier or a temporary identifier of the second terminal device; and
    receiving, by the first terminal device, a first key response from the key management network element, wherein the first key response comprises a secure communication parameter; and establishing, by the first terminal device, secure communication with the second terminal device based on the secure communication parameter.
  36. The method according to claim 35, wherein the first key response further comprises a generic public subscription identifier GPSI of the second terminal device or the first identifier.
  37. A communication apparatus, configured to implement the method according to any one of claims 15 to 19.
  38. A communication apparatus, configured to implement the method according to any one of claims 20 to 32.
  39. A communication apparatus, configured to implement the method according to claim 33.
  40. A communication apparatus, configured to implement the method according to claim 34.
  41. A communication apparatus, configured to implement the method according to any one of claim 35 or 36.
  42. A communication apparatus, comprising a processor and a memory, wherein the memory stores instructions, and when the processor executes the instructions, the apparatus is enabled to perform the method according to any one of claims 15 to 19.
  43. A communication apparatus, comprising a processor and a memory, wherein the memory stores instructions, and when the processor executes the instructions, the apparatus is enabled to perform the method according to any one of claims 20 to 32.
  44. A communication apparatus, comprising a processor and a memory, wherein the memory stores instructions, and when the processor executes the instructions, the apparatus is enabled to perform the method according to claim 33.
  45. A communication apparatus, comprising a processor and a memory, wherein the memory stores instructions, and when the processor executes the instructions, the apparatus is enabled to perform the method according to claim 34.
  46. A communication apparatus, comprising a processor and a memory, wherein the memory stores instructions, and when the processor executes the instructions, the apparatus is enabled to perform the method according to any one of claim 35 or 36.
EP20928846.3A 2020-03-31 2020-03-31 Terminal device identifier obtaining method, apparatus and system Pending EP4120713A4 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/082564 WO2021196011A1 (en) 2020-03-31 2020-03-31 Terminal device identifier obtaining method, apparatus and system

Publications (2)

Publication Number Publication Date
EP4120713A1 true EP4120713A1 (en) 2023-01-18
EP4120713A4 EP4120713A4 (en) 2023-05-10

Family

ID=77926924

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20928846.3A Pending EP4120713A4 (en) 2020-03-31 2020-03-31 Terminal device identifier obtaining method, apparatus and system

Country Status (5)

Country Link
US (1) US20230013010A1 (en)
EP (1) EP4120713A4 (en)
CN (1) CN115336303A (en)
BR (1) BR112022019957A2 (en)
WO (1) WO2021196011A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024065549A1 (en) * 2022-09-29 2024-04-04 北京小米移动软件有限公司 Direct-communication key generation method and apparatus

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3398287B1 (en) * 2015-12-22 2023-11-22 Nokia Technologies Oy Flexible security channel establishment in d2d communications
US20170325270A1 (en) * 2016-05-06 2017-11-09 Futurewei Technologies, Inc. System and Method for Device Identification and Authentication
WO2018126452A1 (en) * 2017-01-06 2018-07-12 华为技术有限公司 Authorization verification method and device
WO2019023825A1 (en) * 2017-07-30 2019-02-07 华为技术有限公司 Method and device for protecting privacy
CN109672708B (en) * 2017-10-16 2022-03-11 华为技术有限公司 Communication method, device and system
WO2019105695A1 (en) * 2017-11-30 2019-06-06 Telefonaktiebolaget Lm Ericsson (Publ) Secure deactivation of subscriber identifier protection in 5g
CN110830989B (en) * 2018-08-09 2021-06-08 华为技术有限公司 Communication method and device
US10499357B1 (en) * 2018-08-09 2019-12-03 Nec Corporation Method and system for transmission of SUSI in the NAS procedure
CN110602803B (en) * 2019-10-15 2020-12-08 广州爱浦路网络技术有限公司 Method for limiting user terminal to access UPF

Also Published As

Publication number Publication date
CN115336303A (en) 2022-11-11
BR112022019957A2 (en) 2022-12-13
US20230013010A1 (en) 2023-01-19
WO2021196011A9 (en) 2021-11-11
WO2021196011A1 (en) 2021-10-07
EP4120713A4 (en) 2023-05-10

Similar Documents

Publication Publication Date Title
US11979798B2 (en) Session establishment to join a group communication
US11805409B2 (en) System and method for deriving a profile for a target endpoint device
EP3629614A2 (en) Network slice allocation method, device and system
US20230199632A1 (en) Access to Second Network
US11659621B2 (en) Selection of IP version
US20220408333A1 (en) Session Management for Edge Computing
US11917718B2 (en) Local area network communication management method and apparatus
US20230239686A1 (en) Secure communication method, apparatus, and system
US20230189192A1 (en) Access to Second Network by Wireless Device
US20230188997A1 (en) Secure communication method and apparatus
CN112512044A (en) Subscription data updating method, device, node and storage medium
US20230013010A1 (en) Method for obtaining identifier of terminal device, apparatus, and system
US11533616B2 (en) Secure automated one time zero-touch bootstrapping and provisioning
WO2022112847A1 (en) Pdu session continuity for a ue moving between a telecommunications network and a gateway device
US20240007983A1 (en) Method, device, and system for core network device re-allocation in wireless network
US20230370992A1 (en) Method, device, and system for core network device re-allocation in wireless network
US20230300702A1 (en) Method, device, and system for core network device re-allocation in wireless network
US20230090543A1 (en) User Plane Security Enforcement Information Determining Method, Apparatus, and System
WO2023071885A1 (en) Communication method and communication apparatus
US20240349365A1 (en) Network function creation method and communication apparatus

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20221013

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

A4 Supplementary search report drawn up and despatched

Effective date: 20230412

RIC1 Information provided on ipc code assigned before grant

Ipc: H04W 88/04 20090101ALI20230404BHEP

Ipc: H04W 8/20 20090101ALI20230404BHEP

Ipc: H04W 76/11 20180101ALI20230404BHEP

Ipc: H04W 12/02 20090101AFI20230404BHEP

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)